# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: May 6 2020 08:26:37 # Log Creation Date: 09.05.2020 23:25:52.879 Process: id = "1" image_name = "buddingpulvers.exe" filename = "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe" page_root = "0xea0f000" os_pid = "0x111c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x1124 [0073.970] GetVersion () returned 0x23f00206 [0073.971] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x772d0000 [0073.972] GetProcAddress (hModule=0x772d0000, lpProcName="IsTNT") returned 0x0 [0073.972] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x20c0000 [0073.973] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x20d0000 [0073.973] VirtualAlloc (lpAddress=0x20d0000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x20d0000 [0073.980] GetCurrentThreadId () returned 0x1124 [0073.980] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe\" " [0073.980] GetEnvironmentStringsW () returned 0x497da0* [0073.980] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0073.980] RtlAllocateHeap (HeapHandle=0x20c0000, Flags=0x0, Size=0x570) returned 0x20c05a8 [0073.981] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x20c05a8, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0073.981] FreeEnvironmentStringsW (penv=0x497da0) returned 1 [0073.981] RtlAllocateHeap (HeapHandle=0x20c0000, Flags=0x0, Size=0x480) returned 0x20c0b20 [0073.981] GetStartupInfoA (in: lpStartupInfo=0x19f8c4 | out: lpStartupInfo=0x19f8c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0073.981] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0073.981] GetFileType (hFile=0x0) returned 0x0 [0073.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0073.981] GetFileType (hFile=0x0) returned 0x0 [0073.981] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0073.981] GetFileType (hFile=0x0) returned 0x0 [0073.981] SetHandleCount (uNumber=0x20) returned 0x20 [0073.981] GetACP () returned 0x4e4 [0073.981] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f8ec | out: lpCPInfo=0x19f8ec) returned 1 [0073.981] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x6610c528, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0073.983] HeapFree (in: hHeap=0x20c0000, dwFlags=0x0, lpMem=0x20c05a8 | out: hHeap=0x20c0000) returned 1 [0073.983] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x772d0000 [0073.984] GetProcAddress (hModule=0x772d0000, lpProcName="IsProcessorFeaturePresent") returned 0x772e5960 [0073.984] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0073.984] RtlAllocateHeap (HeapHandle=0x20c0000, Flags=0x8, Size=0x800) returned 0x20c0fa8 [0074.080] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x148 [0074.080] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x14c [0074.081] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0074.081] GetModuleFileNameA (in: hModule=0x66000000, lpFilename=0x6610e6c8, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0074.081] GetVersion () returned 0x23f00206 [0074.081] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0074.091] GetUserDefaultLCID () returned 0x409 [0074.091] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0074.092] GetSystemMetrics (nIndex=5) returned 1 [0074.092] GetSystemMetrics (nIndex=6) returned 1 [0074.092] GetSystemMetrics (nIndex=11) returned 32 [0074.092] GetSystemMetrics (nIndex=12) returned 32 [0074.092] GetSystemMetrics (nIndex=34) returned 136 [0074.092] GetSystemMetrics (nIndex=35) returned 39 [0074.092] GetSystemMetrics (nIndex=0) returned 1440 [0074.092] GetSystemMetrics (nIndex=1) returned 900 [0074.092] GetSystemMetrics (nIndex=32) returned 8 [0074.092] GetSystemMetrics (nIndex=33) returned 8 [0074.092] GetSystemMetrics (nIndex=42) returned 0 [0074.093] GetStockObject (i=15) returned 0x88000b [0074.093] GetStockObject (i=7) returned 0xb00017 [0074.093] GetStockObject (i=6) returned 0xb00018 [0074.093] GetStockObject (i=8) returned 0xb00016 [0074.093] GetStockObject (i=4) returned 0x900011 [0074.093] GetStockObject (i=2) returned 0x900012 [0074.093] GetStockObject (i=0) returned 0x900010 [0074.093] GetStockObject (i=5) returned 0x900015 [0074.093] GetStockObject (i=13) returned 0x8a01c2 [0074.093] GetDC (hWnd=0x0) returned 0x10105d6 [0074.093] GetTextExtentPointA (in: hdc=0x10105d6, lpString="0", c=1, lpsz=0x19f8e8 | out: lpsz=0x19f8e8) returned 1 [0074.105] GetDeviceCaps (hdc=0x10105d6, index=14) returned 1 [0074.105] GetDeviceCaps (hdc=0x10105d6, index=12) returned 32 [0074.105] GetDeviceCaps (hdc=0x10105d6, index=88) returned 96 [0074.105] GetDeviceCaps (hdc=0x10105d6, index=90) returned 96 [0074.105] GetDeviceCaps (hdc=0x10105d6, index=38) returned 32409 [0074.106] ReleaseDC (hWnd=0x0, hDC=0x10105d6) returned 1 [0074.106] HeapCreate (flOptions=0x0, dwInitialSize=0x0, dwMaximumSize=0x0) returned 0x2960000 [0074.106] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x6610e7d0 | out: ppMalloc=0x6610e7d0*=0x74b3d000) returned 0x0 [0074.107] GetCurrentThreadId () returned 0x1124 [0074.108] GetStartupInfoA (in: lpStartupInfo=0x19ff18 | out: lpStartupInfo=0x19ff18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0074.108] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x104) returned 0x29605a8 [0074.108] GetCurrentThreadId () returned 0x1124 [0074.108] GetCurrentThreadId () returned 0x1124 [0074.108] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xec8) returned 0x29606b8 [0074.229] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe\" " [0074.229] lstrlenA (lpString="") returned 0 [0074.229] lstrcpyA (in: lpString1=0x19fea4, lpString2="" | out: lpString1="") returned="" [0074.229] SetErrorMode (uMode=0x8001) returned 0x0 [0074.230] GetModuleFileNameA (in: hModule=0x66000000, lpFilename=0x19fb60, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0074.230] GetUserDefaultLCID () returned 0x409 [0074.230] GetUserDefaultLCID () returned 0x409 [0074.231] LoadStringA (in: hInstance=0x66000000, uID=0x7d1, lpBuffer=0x19fc64, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0074.231] GetSystemDefaultLCID () returned 0x409 [0074.231] GetUserDefaultLCID () returned 0x409 [0074.231] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x19fc6e, cchData=2 | out: lpLCData=".") returned 2 [0074.231] GetStockObject (i=13) returned 0x8a01c2 [0074.231] GetObjectA (in: h=0x8a01c2, c=60, pv=0x19fc34 | out: pv=0x19fc34) returned 60 [0074.231] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x19fc30, cchData=4 | out: lpLCData="ENU") returned 4 [0074.231] lstrcpyA (in: lpString1=0x19fc60, lpString2="EN" | out: lpString1="EN") returned="EN" [0074.231] lstrlenA (lpString="{xx}") returned 4 [0074.231] lstrlenA (lpString="VB98.CHM") returned 8 [0074.232] lstrcpyA (in: lpString1=0x6610eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0074.232] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x19fc30, cchData=4 | out: lpLCData="ENU") returned 4 [0074.232] lstrcpyA (in: lpString1=0x19fc60, lpString2="EN" | out: lpString1="EN") returned="EN" [0074.232] lstrlenA (lpString="{xx}") returned 4 [0074.232] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0074.232] lstrcpyA (in: lpString1=0x6610ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0074.232] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19fd88, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0074.232] GetModuleFileNameA (in: hModule=0x66000000, lpFilename=0x19fc84, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0074.232] lstrcpynA (in: lpString1=0x19fb68, lpString2="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL") returned="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" [0074.232] lstrlenA (lpString="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL") returned 32 [0074.232] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x21) returned 0x2961588 [0074.232] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x21) returned 0x29615b8 [0074.232] lstrcpyA (in: lpString1=0x2961588, lpString2="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" | out: lpString1="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL") returned="C:\\WINDOWS\\SYSTEM32\\MSVBVM60.DLL" [0074.232] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", cchSrc=-1, lpDestStr=0x19fb48, cchDest=260 | out: lpDestStr="C:\\USERS\\FD1HVY\\DESKTOP\\BUDDINGPULVERS.EXE") returned 43 [0074.268] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x19fc4c, dwRevision=0x1 | out: pSecurityDescriptor=0x19fc4c) returned 1 [0074.269] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x19fc4c, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x19fc4c) returned 1 [0074.269] CreateSemaphoreA (lpSemaphoreAttributes=0x19fc60, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?FD1HVY?DESKTOP?BUDDINGPULVERS.EXE") returned 0x160 [0074.269] GetLastError () returned 0x0 [0074.287] GetVersionExA (in: lpVersionInformation=0x19fbc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fbc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0074.290] OleInitialize (pvReserved=0x0) returned 0x0 [0075.689] OaBuildVersion () returned 0x321396 [0075.690] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x77440000 [0075.690] GetLastError () returned 0x0 [0075.690] GetProcAddress (hModule=0x77440000, lpProcName="OleLoadPictureEx") returned 0x774ae5f0 [0075.690] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc194 [0075.690] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc07a [0075.691] GetClassInfoA (in: hInstance=0x66000000, lpClassName="VBFocusRT6", lpWndClass=0x19fc2c | out: lpWndClass=0x19fc2c) returned 0 [0075.691] RegisterClassA (lpWndClass=0x19fc2c) returned 0xc196 [0075.691] GetClassInfoA (in: hInstance=0x66000000, lpClassName="VBBubbleRT6", lpWndClass=0x19fc2c | out: lpWndClass=0x19fc2c) returned 0 [0075.691] RegisterClassA (lpWndClass=0x19fc2c) returned 0xc195 [0075.691] HeapCreate (flOptions=0x0, dwInitialSize=0x400, dwMaximumSize=0x0) returned 0x2030000 [0075.692] GetUserDefaultLCID () returned 0x409 [0075.692] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x3a4) returned 0x29615e8 [0075.692] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x3a4) returned 0x2961998 [0075.692] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xd4) returned 0x2961d48 [0075.692] GetSystemInfo (in: lpSystemInfo=0x19fbec | out: lpSystemInfo=0x19fbec*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0075.692] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x430000 [0075.692] VirtualAlloc (lpAddress=0x430000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.692] VirtualAlloc (lpAddress=0x430000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.692] VirtualAlloc (lpAddress=0x430000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.693] VirtualAlloc (lpAddress=0x430000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.693] VirtualAlloc (lpAddress=0x430000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.693] VirtualAlloc (lpAddress=0x430000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0075.693] VirtualProtect (in: lpAddress=0x430000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x19fc48 | out: lpflOldProtect=0x19fc48*=0x4) returned 1 [0075.695] GetCurrentProcess () returned 0xffffffff [0075.695] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x430000, dwSize=0x6000) returned 1 [0075.695] GlobalAddAtomA (lpString="VBDisabled") returned 0xc189 [0075.695] GetVersion () returned 0x23f00206 [0075.695] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x77440000 [0075.695] GetProcAddress (hModule=0x77440000, lpProcName="DispCallFunc") returned 0x7747b8f0 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="LoadTypeLibEx") returned 0x774563f0 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="UnRegisterTypeLib") returned 0x77494910 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="CreateTypeLib2") returned 0x77476040 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="VarDateFromUdate") returned 0x77462cb0 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="VarUdateFromDate") returned 0x77462dc0 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="GetAltMonthNames") returned 0x774aacd0 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="VarNumFromParseNum") returned 0x77465920 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="VarParseNumFromStr") returned 0x77459490 [0075.696] GetProcAddress (hModule=0x77440000, lpProcName="VarDecFromR4") returned 0x77453090 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="VarDecFromR8") returned 0x774af1a0 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="VarDecFromDate") returned 0x774af000 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="VarDecFromI4") returned 0x774af0f0 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="VarDecFromCy") returned 0x774aefc0 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="VarR4FromDec") returned 0x774af7b0 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x77462220 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="GetRecordInfoFromGuids") returned 0x774ae250 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="SafeArrayGetRecordInfo") returned 0x774ae9a0 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="SafeArraySetRecordInfo") returned 0x77463550 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="SafeArrayGetIID") returned 0x774ae960 [0075.697] GetProcAddress (hModule=0x77440000, lpProcName="SafeArraySetIID") returned 0x77461a60 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="SafeArrayCopyData") returned 0x77463ee0 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x774636b0 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="SafeArrayCreateEx") returned 0x774635c0 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarFormat") returned 0x77478000 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarFormatDateTime") returned 0x774b1240 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarFormatNumber") returned 0x774b1290 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarFormatPercent") returned 0x774b1340 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarFormatCurrency") returned 0x774b1180 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarWeekdayName") returned 0x774b1480 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarMonthName") returned 0x774b13e0 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarAdd") returned 0x7747d610 [0075.698] GetProcAddress (hModule=0x77440000, lpProcName="VarAnd") returned 0x77473200 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarCat") returned 0x77472f10 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarDiv") returned 0x774a5800 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarEqv") returned 0x774a6160 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarIdiv") returned 0x774a61a0 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarImp") returned 0x774a6320 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarMod") returned 0x774a6400 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarMul") returned 0x7747db10 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarOr") returned 0x774a6610 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarPow") returned 0x774a5e40 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarSub") returned 0x7747e3e0 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarXor") returned 0x774a67b0 [0075.699] GetProcAddress (hModule=0x77440000, lpProcName="VarAbs") returned 0x774a4ca0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarFix") returned 0x774a4f50 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarInt") returned 0x774a5100 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarNeg") returned 0x774a52c0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarNot") returned 0x774a6560 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarRound") returned 0x774a54f0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarCmp") returned 0x774660b0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarDecAdd") returned 0x7747b090 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarDecCmp") returned 0x7747b870 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarBstrCat") returned 0x77466fc0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarCyMulI4") returned 0x7747aac0 [0075.700] GetProcAddress (hModule=0x77440000, lpProcName="VarBstrCmp") returned 0x77466590 [0075.701] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x753c0000 [0075.701] GetProcAddress (hModule=0x753c0000, lpProcName="CoCreateInstanceEx") returned 0x74a52d10 [0075.701] GetProcAddress (hModule=0x753c0000, lpProcName="CLSIDFromProgIDEx") returned 0x74a45cf0 [0075.701] GetSystemMetrics (nIndex=42) returned 0 [0075.701] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x6610e688 | out: ppMalloc=0x6610e688*=0x74b3d000) returned 0x0 [0075.701] IMalloc:Alloc (This=0x74b3d000, cb=0x4) returned 0x4941e8 [0075.701] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f960, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0075.701] lstrcatA (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe.cfg") returned="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe.cfg" [0075.701] SetLastError (dwErrCode=0x0) [0075.701] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x19f85c, lpFilePart=0x19f830 | out: lpBuffer="", lpFilePart=0x19f830*="\x8bÿU\x8bì\x83ì\x1cS\x8b]\x0cVWÆEÿ") returned 0x0 [0075.702] SetLastError (dwErrCode=0x2) [0075.702] GetLastError () returned 0x2 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="MTX") returned -1 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="DLLHOST") returned -1 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="INETINFO") returned -1 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="W3WP") returned -1 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="ASPNET_WP") returned 1 [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="DLLHST3G") returned -1 [0075.702] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f954, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0075.702] lstrcmpiA (lpString1="BUDDINGPULVERS", lpString2="IEXPLORE") returned -1 [0075.702] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74250000 [0076.159] GetLastError () returned 0x0 [0076.159] GetProcAddress (hModule=0x74250000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x742b9bc0 [0076.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19fea4, cbMultiByte=-1, lpWideCharStr=0x19fea0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0076.159] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1c) returned 0x2961e28 [0076.160] CoRegisterMessageFilter (in: lpMessageFilter=0x2961e2c, lplpMessageFilter=0x2961e34 | out: lplpMessageFilter=0x2961e34*=0x0) returned 0x0 [0076.160] IUnknown:AddRef (This=0x2961e2c) returned 0x2 [0076.160] GetClassInfoExA (in: hInstance=0x66000000, lpszClass="ThunderRT6Main", lpwcx=0x19fe70 | out: lpwcx=0x19fe70) returned 0 [0076.160] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0xa0123 [0076.166] GetModuleHandleA (lpModuleName="USER32") returned 0x750c0000 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="GetSystemMetrics") returned 0x750eddc0 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="MonitorFromWindow") returned 0x750d5c10 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="MonitorFromRect") returned 0x750d5820 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="MonitorFromPoint") returned 0x750d6810 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="EnumDisplayMonitors") returned 0x750f32e0 [0076.167] GetProcAddress (hModule=0x750c0000, lpProcName="GetMonitorInfoA") returned 0x750edf30 [0076.167] GetSystemMetrics (nIndex=0) returned 1440 [0076.167] GetSystemMetrics (nIndex=78) returned 1440 [0076.167] GetSystemMetrics (nIndex=1) returned 900 [0076.167] GetSystemMetrics (nIndex=79) returned 900 [0076.167] GetSystemMetrics (nIndex=50) returned 16 [0076.167] GetSystemMetrics (nIndex=49) returned 16 [0076.167] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0xa0193 [0076.168] RegisterClassExA (param_1=0x19fe70) returned 0xc199 [0076.169] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x66000000, lpParam=0x0) returned 0x202b6 [0077.364] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x81, wParam=0x0, lParam=0x19f9e0) returned 0x1 [0077.371] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x83, wParam=0x0, lParam=0x19f9cc) returned 0x0 [0077.371] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x1, wParam=0x0, lParam=0x19f9e0) returned 0x0 [0077.371] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0077.371] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0077.372] MonitorFromWindow (hwnd=0x202b6, dwFlags=0x2) returned 0x10001 [0077.372] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x19fe78 | out: lpmi=0x19fe78) returned 1 [0077.372] SetWindowPos (hWnd=0x202b6, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0077.372] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x46, wParam=0x0, lParam=0x19fe1c) returned 0x0 [0077.374] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x47, wParam=0x0, lParam=0x19fe1c) returned 0x0 [0077.374] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0077.374] ShowWindow (hWnd=0x202b6, nCmdShow=4) returned 0 [0077.374] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0077.374] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x46, wParam=0x0, lParam=0x19fe2c) returned 0x0 [0077.380] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x47, wParam=0x0, lParam=0x19fe2c) returned 0x0 [0077.380] GetWindowThreadProcessId (in: hWnd=0x202b6, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x1124 [0077.380] VirtualQuery (in: lpAddress=0x19fea0, lpBuffer=0x19fe84, dwLength=0x1c | out: lpBuffer=0x19fe84*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0077.381] GetUserDefaultLCID () returned 0x409 [0077.381] IsValidCodePage (CodePage=0x3a4) returned 1 [0077.381] IsValidCodePage (CodePage=0x3b5) returned 1 [0077.381] IsValidCodePage (CodePage=0x3b6) returned 1 [0077.382] IsValidCodePage (CodePage=0x3a8) returned 1 [0077.384] GetUserDefaultLangID () returned 0x409 [0077.384] GetSystemDefaultLangID () returned 0x490409 [0077.384] GetSystemMetrics (nIndex=42) returned 0 [0077.385] IMalloc:Alloc (This=0x74b3d000, cb=0xa8) returned 0x490ab8 [0077.385] IMalloc:GetSize (This=0x74b3d000, pv=0x490ab8) returned 0xa8 [0077.385] IMalloc:Alloc (This=0x74b3d000, cb=0xc) returned 0x4a1688 [0077.385] GetCurrentThreadId () returned 0x1124 [0077.385] IMalloc:Alloc (This=0x74b3d000, cb=0x3c) returned 0x496290 [0077.385] IMalloc:Alloc (This=0x74b3d000, cb=0x1c) returned 0x48ad20 [0077.386] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x19fe6c | out: phkResult=0x19fe6c*=0x0) returned 0x2 [0077.386] IMalloc:Alloc (This=0x74b3d000, cb=0x1c) returned 0x48ad48 [0077.386] GetCurrentThreadId () returned 0x1124 [0077.386] SetWindowsHookExA (idHook=-1, lpfn=0x66061e09, hmod=0x0, dwThreadId=0x1124) returned 0x13029b [0077.386] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x14) returned 0x2961e50 [0077.386] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x80) returned 0x2961e70 [0077.386] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x2961ef8 [0077.386] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x2c) returned 0x2961f10 [0077.386] GetClassInfoA (in: hInstance=0x66000000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x19fdc4 | out: lpWndClass=0x19fdc4) returned 0 [0077.386] RegisterClassA (lpWndClass=0x19fdc4) returned 0xc19a [0077.387] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x66000000, lpParam=0x0) returned 0x901f8 [0077.387] NtdllDefWindowProc_A (hWnd=0x901f8, Msg=0x81, wParam=0x0, lParam=0x19f990) returned 0x1 [0077.387] NtdllDefWindowProc_A (hWnd=0x901f8, Msg=0x83, wParam=0x0, lParam=0x19f97c) returned 0x0 [0077.388] NtdllDefWindowProc_A (hWnd=0x901f8, Msg=0x1, wParam=0x0, lParam=0x19f990) returned 0x0 [0077.388] NtdllDefWindowProc_A (hWnd=0x901f8, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0077.388] NtdllDefWindowProc_A (hWnd=0x901f8, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0077.390] SetWindowLongA (hWnd=0x901f8, nIndex=0, dwNewLong=43392628) returned 0 [0077.390] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x38) returned 0x2961f48 [0077.390] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x18) returned 0x2961f88 [0077.390] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x2961fa8 [0077.390] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0077.391] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0077.391] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0077.391] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0077.391] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0077.391] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0077.391] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0077.391] CreateCompatibleDC (hdc=0x0) returned 0x3f010542 [0077.391] GetCurrentObject (hdc=0x3f010542, type=0x7) returned 0x85000f [0077.391] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x202b6, hMenu=0x0, hInstance=0x66000000, lpParam=0x0) returned 0x70030 [0077.391] NtdllDefWindowProc_A (hWnd=0x70030, Msg=0x81, wParam=0x0, lParam=0x19fa20) returned 0x1 [0077.392] NtdllDefWindowProc_A (hWnd=0x70030, Msg=0x83, wParam=0x0, lParam=0x19fa0c) returned 0x0 [0077.392] NtdllDefWindowProc_A (hWnd=0x70030, Msg=0x1, wParam=0x0, lParam=0x19fa20) returned 0x0 [0077.392] NtdllDefWindowProc_A (hWnd=0x70030, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0077.392] NtdllDefWindowProc_A (hWnd=0x70030, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0077.393] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x210, wParam=0x1, lParam=0x70030) returned 0x0 [0077.393] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x18) returned 0x2961fc0 [0077.393] RtlAllocateHeap (HeapHandle=0x2030000, Flags=0x8, Size=0x114) returned 0x20305a8 [0077.393] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x5c) returned 0x2961fe8 [0077.394] GetCurrentThreadId () returned 0x1124 [0077.394] GetCurrentThreadId () returned 0x1124 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x10) returned 0x2962050 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x30) returned 0x2962068 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x434) returned 0x29620a0 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x434) returned 0x29624e0 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x3c) returned 0x2962920 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2962968 [0077.394] lstrlenA (lpString="VB") returned 2 [0077.394] lstrlenA (lpString="Printer") returned 7 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xb) returned 0x2962a88 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xdc) returned 0x2962aa0 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x28) returned 0x2962b88 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2962bb8 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x28) returned 0x2962bd8 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2962c08 [0077.394] lstrlenA (lpString="VB") returned 2 [0077.394] lstrlenA (lpString="Form") returned 4 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x8) returned 0x2962d28 [0077.394] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x184) returned 0x2962d38 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x7c) returned 0x2962ec8 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2f8) returned 0x2962f50 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2963250 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2963270 [0077.395] lstrlenA (lpString="VB") returned 2 [0077.395] lstrlenA (lpString="Screen") returned 6 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x2963390 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x2c) returned 0x29633a8 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa0) returned 0x29633e0 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2963488 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x29634a8 [0077.395] lstrlenA (lpString="VB") returned 2 [0077.395] lstrlenA (lpString="Clipboard") returned 9 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xd) returned 0x29635c8 [0077.395] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1c) returned 0x29635e0 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x68) returned 0x2963608 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2963678 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2963698 [0077.396] lstrlenA (lpString="VB") returned 2 [0077.396] lstrlenA (lpString="MDIForm") returned 7 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xb) returned 0x29637b8 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x184) returned 0x29637d0 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x7c) returned 0x2963960 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2f8) returned 0x29639e8 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2963ce8 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2963d08 [0077.396] lstrlenA (lpString="VB") returned 2 [0077.396] lstrlenA (lpString="App") returned 3 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x7) returned 0x2963e28 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x84) returned 0x2963e38 [0077.396] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x148) returned 0x2963ec8 [0077.396] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2962b88, Size=0x50) returned 0x2964018 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2962b88 [0077.397] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2962bd8, Size=0x50) returned 0x2964070 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x29640c8 [0077.397] lstrlenA (lpString="VB") returned 2 [0077.397] lstrlenA (lpString="Image") returned 5 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9) returned 0x2962bd8 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x24) returned 0x29641e8 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x98) returned 0x2964218 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x34) returned 0x29642b8 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x154) returned 0x29642f8 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2964458 [0077.397] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2964478 [0077.397] lstrlenA (lpString="VB") returned 2 [0077.397] lstrlenA (lpString="UserControl") returned 11 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xf) returned 0x2962bf0 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1e4) returned 0x2964598 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xb0) returned 0x2964788 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x3a4) returned 0x2964840 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2964bf0 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2964c10 [0077.398] lstrlenA (lpString="VB") returned 2 [0077.398] lstrlenA (lpString="PropertyPage") returned 12 [0077.398] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x2964d30 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x190) returned 0x2964d48 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x88) returned 0x2964ee0 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x310) returned 0x2964f70 [0077.399] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2965288 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x29652a8 [0077.399] lstrlenA (lpString="VB") returned 2 [0077.399] lstrlenA (lpString="UserDocument") returned 12 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x29653c8 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1c8) returned 0x29653e0 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xa8) returned 0x29655b0 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x370) returned 0x2965660 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x29659d8 [0077.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x20) returned 0x29659f8 [0077.400] RtlAllocateHeap (HeapHandle=0x2030000, Flags=0x8, Size=0x30) returned 0x20306c8 [0077.401] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xa0) returned 0x2965a20 [0077.401] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x2965ac8 [0077.401] GetCurrentThreadId () returned 0x1124 [0077.401] GetCurrentThreadId () returned 0x1124 [0077.402] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x10) returned 0x2965af8 [0077.402] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2965b10 [0077.402] lstrlenA (lpString="VB") returned 2 [0077.402] lstrlenA (lpString="PictureBox") returned 10 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xe) returned 0x2965c30 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x16c) returned 0x2965c48 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x68) returned 0x2965dc0 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2c8) returned 0x2965e30 [0077.403] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2964018, Size=0x78) returned 0x2966100 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2964018 [0077.403] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2964070, Size=0x78) returned 0x2966180 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2966200 [0077.403] lstrlenA (lpString="VB") returned 2 [0077.403] lstrlenA (lpString="Label") returned 5 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9) returned 0x2964038 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x34) returned 0x2964050 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xf0) returned 0x2966320 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x48) returned 0x2966418 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1f4) returned 0x2966468 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2964090 [0077.403] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2966668 [0077.404] lstrlenA (lpString="VB") returned 2 [0077.404] lstrlenA (lpString="TextBox") returned 7 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xb) returned 0x29640b0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x38) returned 0x2966788 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x120) returned 0x29667c8 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x60) returned 0x29668f0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x250) returned 0x2966958 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2966bb0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2966bd0 [0077.404] lstrlenA (lpString="VB") returned 2 [0077.404] lstrlenA (lpString="Frame") returned 5 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9) returned 0x2966cf0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x24) returned 0x2966d08 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xb0) returned 0x2966d38 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x34) returned 0x2966df0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x184) returned 0x2966e30 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x2966fc0 [0077.404] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x2969f18 [0077.405] lstrlenA (lpString="VB") returned 2 [0077.405] lstrlenA (lpString="CommandButton") returned 13 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x11) returned 0x29604a0 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x29604c0 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xd4) returned 0x296a038 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x44) returned 0x29604f0 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1c8) returned 0x296a118 [0077.405] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a590 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296aaf0 [0077.406] lstrlenA (lpString="VB") returned 2 [0077.406] lstrlenA (lpString="CheckBox") returned 8 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xc) returned 0x2960540 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x2960558 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xec) returned 0x296ac10 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x48) returned 0x296ad08 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1f8) returned 0x296ad58 [0077.406] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2966100, Size=0xa0) returned 0x296af58 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a330 [0077.406] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x2966180, Size=0xa0) returned 0x296b000 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296b0a8 [0077.406] lstrlenA (lpString="VB") returned 2 [0077.406] lstrlenA (lpString="OptionButton") returned 12 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x296b2b0 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x2966100 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xd4) returned 0x296b3d0 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x4c) returned 0x2966130 [0077.406] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1c8) returned 0x296b4b0 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a5b0 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296c360 [0077.407] lstrlenA (lpString="VB") returned 2 [0077.407] lstrlenA (lpString="ComboBox") returned 8 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xc) returned 0x296b268 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x108) returned 0x296c688 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x4c) returned 0x296c8c8 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x230) returned 0x296cfa0 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a5d0 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296b8f8 [0077.407] lstrlenA (lpString="VB") returned 2 [0077.407] lstrlenA (lpString="ListBox") returned 7 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xb) returned 0x296b280 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x108) returned 0x296d1d8 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x54) returned 0x2966188 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x230) returned 0x296d2e8 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a510 [0077.407] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296c238 [0077.408] lstrlenA (lpString="VB") returned 2 [0077.408] lstrlenA (lpString="HScrollBar") returned 10 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xe) returned 0x296b3a0 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x24) returned 0x296d520 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x90) returned 0x296d550 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x296d5e8 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x144) returned 0x296d618 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a4b0 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296c488 [0077.408] lstrlenA (lpString="VB") returned 2 [0077.408] lstrlenA (lpString="VScrollBar") returned 10 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xe) returned 0x296b2c8 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x24) returned 0x296d768 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x90) returned 0x296d798 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x296d830 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x144) returned 0x296d860 [0077.408] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x296af58, Size=0xc8) returned 0x296d9b0 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a6d0 [0077.408] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x296b000, Size=0xc8) returned 0x296da80 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296b6a8 [0077.408] lstrlenA (lpString="VB") returned 2 [0077.408] lstrlenA (lpString="Timer") returned 5 [0077.408] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9) returned 0x296b298 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xc) returned 0x296b250 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x30) returned 0x296af58 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x4) returned 0x2962ba8 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9c) returned 0x296af90 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a630 [0077.411] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296bd98 [0077.412] lstrlenA (lpString="VB") returned 2 [0077.412] lstrlenA (lpString="DriveListBox") returned 12 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x10) returned 0x296b388 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x296b038 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xc0) returned 0x296db50 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x40) returned 0x296dc18 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1a0) returned 0x296dc60 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a6b0 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296b7d0 [0077.412] lstrlenA (lpString="VB") returned 2 [0077.412] lstrlenA (lpString="DirListBox") returned 10 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xe) returned 0x296b2e0 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x296b068 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xc8) returned 0x296de08 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x50) returned 0x296ca28 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1b0) returned 0x296ded8 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a670 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296ba20 [0077.412] lstrlenA (lpString="VB") returned 2 [0077.412] lstrlenA (lpString="FileListBox") returned 11 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xf) returned 0x296b340 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x28) returned 0x296e090 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xec) returned 0x296e0c0 [0077.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x58) returned 0x296e1b8 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1f8) returned 0x296e218 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a310 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296bb48 [0077.413] lstrlenA (lpString="VB") returned 2 [0077.413] lstrlenA (lpString="Menu") returned 4 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x8) returned 0x296b098 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x38) returned 0x296e418 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x4) returned 0x29661e8 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xb8) returned 0x296e458 [0077.413] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x296d9b0, Size=0xf0) returned 0x296e518 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a450 [0077.413] RtlReAllocateHeap (Heap=0x2960000, Flags=0x0, Ptr=0x296da80, Size=0xf0) returned 0x296e610 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296bec0 [0077.413] lstrlenA (lpString="VB") returned 2 [0077.413] lstrlenA (lpString="Shape") returned 5 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x9) returned 0x296b358 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1c) returned 0x296d9b0 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x68) returned 0x296d9d8 [0077.413] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xfc) returned 0x296da48 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a3d0 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296bfe8 [0077.414] lstrlenA (lpString="VB") returned 2 [0077.414] lstrlenA (lpString="Line") returned 4 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x8) returned 0x2960588 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x18) returned 0x296a530 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x50) returned 0x296c7c0 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xd0) returned 0x296e708 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a5f0 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296c110 [0077.414] lstrlenA (lpString="VB") returned 2 [0077.414] lstrlenA (lpString="Data") returned 4 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x8) returned 0x2960598 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xd8) returned 0x296e7e0 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x3c) returned 0x296e8c0 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1d8) returned 0x296e908 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a550 [0077.414] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x114) returned 0x296bc70 [0077.414] lstrlenA (lpString="VB") returned 2 [0077.415] lstrlenA (lpString="OLE") returned 3 [0077.415] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x7) returned 0x296eae8 [0077.415] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x17c) returned 0x296eaf8 [0077.415] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x40) returned 0x296ec80 [0077.415] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2f0) returned 0x296ecc8 [0077.415] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a350 [0077.421] IMalloc:Alloc (This=0x74b3d000, cb=0x64) returned 0x4912e8 [0077.422] IMalloc:Alloc (This=0x74b3d000, cb=0xc) returned 0x4a1898 [0077.422] IMalloc:Alloc (This=0x74b3d000, cb=0x2c) returned 0x4aa5e0 [0077.422] IMalloc:GetSize (This=0x74b3d000, pv=0x4aa5e0) returned 0x2c [0077.422] IMalloc:Alloc (This=0x74b3d000, cb=0x20) returned 0x48ad70 [0077.422] GetCurrentThreadId () returned 0x1124 [0077.422] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x54) returned 0x2810048 [0077.422] GetCurrentThreadId () returned 0x1124 [0077.422] IMalloc:Alloc (This=0x74b3d000, cb=0x1c) returned 0x48ad98 [0077.423] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x104) returned 0x28100a8 [0077.423] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x6f8) returned 0x28101b8 [0077.423] VirtualProtect (in: lpAddress=0x430000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x19fdf0 | out: lpflOldProtect=0x19fdf0*=0x20) returned 1 [0077.423] GetCurrentProcess () returned 0xffffffff [0077.423] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x430000, dwSize=0x6000) returned 1 [0077.423] VirtualAlloc (lpAddress=0x430000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0077.423] VirtualAlloc (lpAddress=0x430000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0077.423] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xd4) returned 0x28108b8 [0077.423] VirtualAlloc (lpAddress=0x430000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0077.424] VirtualAlloc (lpAddress=0x430000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0077.424] VirtualProtect (in: lpAddress=0x430000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x19fdf0 | out: lpflOldProtect=0x19fdf0*=0x4) returned 1 [0077.435] GetCurrentProcess () returned 0xffffffff [0077.435] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x430000, dwSize=0xa000) returned 1 [0077.435] GetCurrentThreadId () returned 0x1124 [0077.435] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x23ec) returned 0x2810998 [0077.446] GetCurrentThreadId () returned 0x1124 [0077.447] SetWindowTextA (hWnd=0x202b6, lpString="FLOCKLESS") returned 1 [0077.447] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0xc, wParam=0x0, lParam=0x19fd64) returned 0x1 [0077.447] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x19fd4c | out: phkResult=0x19fd4c*=0x0) returned 0x2 [0077.450] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.450] VirtualQuery (in: lpAddress=0x19f778, lpBuffer=0x19f75c, dwLength=0x1c | out: lpBuffer=0x19f75c*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0077.451] IMalloc:Alloc (This=0x74b3d000, cb=0x44) returned 0x4a6fd8 [0077.451] IMalloc:GetSize (This=0x74b3d000, pv=0x4a6fd8) returned 0x44 [0077.453] GetCurrentThreadId () returned 0x1124 [0077.453] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x104) returned 0x2812d90 [0077.453] GetCurrentThreadId () returned 0x1124 [0077.453] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x58) returned 0x2812ea0 [0077.453] GetCurrentThreadId () returned 0x1124 [0077.472] GetCurrentThreadId () returned 0x1124 [0077.473] GetCurrentThreadId () returned 0x1124 [0077.473] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x140) returned 0x2812f00 [0077.473] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x10) returned 0x296b310 [0077.473] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x434) returned 0x2813048 [0077.473] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x17c [0077.478] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x198) returned 0x2813488 [0077.478] GetVersionExA (in: lpVersionInformation=0x19fa74*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2813488, dwMinorVersion=0x2b8, dwBuildNumber=0x419fd00, dwPlatformId=0x29600c0, szCSDVersion="") | out: lpVersionInformation=0x19fa74*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0077.478] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0077.488] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a610 [0077.488] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x14) returned 0x296a3f0 [0077.488] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x80) returned 0x2813628 [0077.488] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813628 | out: hHeap=0x2960000) returned 1 [0077.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x66052cd8, cbMultiByte=-1, lpWideCharStr=0x19fa9c, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0077.489] OleCreateFontIndirect () returned 0x0 [0077.491] CFont::SetRatio () returned 0x0 [0077.493] CFont::get_hFont () returned 0x0 [0077.513] CFont::Clone () returned 0x0 [0077.513] CFont::SetRatio () returned 0x0 [0077.513] lstrlenA (lpString="brocheret") returned 9 [0077.513] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x296b3b8 [0077.517] OleLoadPictureEx () returned 0x0 [0078.750] CPicture::get_Type () returned 0x0 [0078.750] CPicture::QueryInterface () returned 0x0 [0078.750] CPicture::get_Type () returned 0x0 [0078.750] CPicture::get_Type () returned 0x0 [0078.750] CPicture::AddRef () returned 0x3 [0078.750] CPicture::Release () returned 0x2 [0078.750] CPicture::Release () returned 0x1 [0078.750] lstrlenA (lpString="brocheret") returned 9 [0078.750] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x296b2f8 [0078.751] lstrlenA (lpString="ThunderRT6") returned 10 [0078.751] lstrcpyA (in: lpString1=0x19fab0, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.751] lstrlenA (lpString="ThunderRT6Form") returned 14 [0078.751] lstrcpynA (in: lpString1=0x19fabe, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0078.751] lstrlenA (lpString="ThunderRT6") returned 10 [0078.751] lstrcpyA (in: lpString1=0x19fa44, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.751] GetClassInfoA (in: hInstance=0x66000000, lpClassName="ThunderRT6Form", lpWndClass=0x19fa70 | out: lpWndClass=0x19fa70) returned 0 [0078.751] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0078.751] RegisterClassA (lpWndClass=0x19fa70) returned 0xc19b [0078.751] lstrlenA (lpString="ThunderRT6") returned 10 [0078.751] lstrcpyA (in: lpString1=0x19fa44, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.751] lstrlenA (lpString="ThunderRT6Form") returned 14 [0078.751] lstrcpynA (in: lpString1=0x19fa52, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0078.751] RegisterClassA (lpWndClass=0x19fa70) returned 0xc19c [0078.752] AdjustWindowRectEx (in: lpRect=0x19fb70, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19fb70) returned 1 [0078.752] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc19c, lpWindowName="brocheret", dwStyle=0x2cb0000, X=452, Y=494, nWidth=329, nHeight=506, hWndParent=0x202b6, hMenu=0x0, hInstance=0x66000000, lpParam=0x0) returned 0x6002e [0078.755] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x81, wParam=0x0, lParam=0x19f620) returned 0x1 [0078.756] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x83, wParam=0x0, lParam=0x19f60c) returned 0x0 [0079.368] GetSystemMenu (hWnd=0x6002e, bRevert=0) returned 0x1d00db [0079.373] SetWindowContextHelpId (param_1=0x6002e, param_2=0xffffffff) returned 1 [0079.374] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x1, wParam=0x0, lParam=0x19f620) returned 0x0 [0079.376] GetDC (hWnd=0x6002e) returned 0xffffffff91010795 [0079.376] GetTextMetricsA (in: hdc=0x91010795, lptm=0x19fa5c | out: lptm=0x19fa5c) returned 1 [0079.376] SetBkMode (hdc=0x91010795, mode=1) returned 2 [0079.376] OleTranslateColor () returned 0x0 [0079.377] SetBkColor (hdc=0x91010795, color=0xf0f0f0) returned 0xffffff [0079.377] OleTranslateColor () returned 0x0 [0079.377] SetTextColor (hdc=0x91010795, color=0x0) returned 0x0 [0079.377] OleTranslateColor () returned 0x0 [0079.377] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x1f300640 [0079.377] SelectObject (hdc=0x91010795, h=0x1f300640) returned 0xb00017 [0079.377] SelectObject (hdc=0x91010795, h=0x900011) returned 0x900010 [0079.377] ClientToScreen (in: hWnd=0x6002e, lpPoint=0x19fa3c | out: lpPoint=0x19fa3c) returned 1 [0079.377] SetBrushOrgEx (in: hdc=0x91010795, x=7, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0079.377] UnrealizeObject (h=0x900015) returned 1 [0079.377] SelectObject (hdc=0x91010795, h=0x900015) returned 0x900011 [0079.377] CFont::QueryInterface () returned 0x0 [0079.399] CFont::FindConnectionPoint () returned 0x0 [0079.399] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x14) returned 0x296a470 [0079.402] CNotifyCP::Advise () returned 0x0 [0079.402] CFont::get_hFont () returned 0x0 [0079.402] CFont::AddRefHfont () returned 0x0 [0079.402] SelectObject (hdc=0x91010795, h=0x160a052c) returned 0x8a01c2 [0079.403] GetTextMetricsA (in: hdc=0x91010795, lptm=0x19f850 | out: lptm=0x19f850) returned 1 [0079.403] CFontEventsCP::Release () returned 0x0 [0079.403] Release () returned 0x1 [0079.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xdc) returned 0x2813628 [0079.412] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a430 [0079.412] OleLoadPictureEx () returned 0x0 [0079.432] CPicture::get_Type () returned 0x0 [0079.432] CPicture::QueryInterface () returned 0x0 [0079.432] CPicture::get_Type () returned 0x0 [0079.432] CPicture::get_CurDC () returned 0x0 [0079.432] CPicture::AddRef () returned 0x3 [0079.432] CPicture::get_Type () returned 0x0 [0079.463] CPicture::get_Attributes () returned 0x0 [0079.463] CPicture::get_hPal () returned 0x0 [0079.463] CPicture::Release () returned 0x2 [0079.463] CPicture::Release () returned 0x1 [0079.463] GetClientRect (in: hWnd=0x6002e, lpRect=0x19fbf0 | out: lpRect=0x19fbf0) returned 1 [0079.463] MapWindowPoints (in: hWndFrom=0x6002e, hWndTo=0x0, lpPoints=0x19fbf0, cPoints=0x2 | out: lpPoints=0x19fbf0) returned 34079175 [0079.463] EqualRect (lprc1=0x19fbf0, lprc2=0x19fbd0) returned 1 [0079.463] SetEvent (hEvent=0x17c) returned 1 [0079.464] CPicture::get_Type () returned 0x0 [0079.464] CPicture::get_Handle () returned 0x0 [0079.464] SendMessageA (hWnd=0x6002e, Msg=0x80, wParam=0x1, lParam=0x27029d) returned 0x0 [0079.464] GetCapture () returned 0x0 [0079.464] GetCapture () returned 0x0 [0079.464] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x80, wParam=0x1, lParam=0x27029d) returned 0x0 [0079.465] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x19faac | out: ppstm=0x19faac*=0x4abd18) returned 0x0 [0079.562] CPicture::get_KeepOriginalFormat () returned 0x0 [0079.562] CPicture::SaveAsFile () returned 0x0 [0079.565] GetSystemMetrics (nIndex=49) returned 16 [0079.565] GetSystemMetrics (nIndex=50) returned 16 [0079.565] IStream:RemoteSeek (in: This=0x4abd18, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0079.565] ISequentialStream:RemoteRead (in: This=0x4abd18, pv=0x19fa5c, cb=0x6, pcbRead=0x0 | out: pv=0x19fa5c*=0x0, pcbRead=0x0) returned 0x0 [0079.565] ISequentialStream:RemoteRead (in: This=0x4abd18, pv=0x19fa34, cb=0x10, pcbRead=0x0 | out: pv=0x19fa34*=0x10, pcbRead=0x0) returned 0x0 [0079.565] ISequentialStream:RemoteRead (in: This=0x4abd18, pv=0x19fa34, cb=0x10, pcbRead=0x0 | out: pv=0x19fa34*=0x10, pcbRead=0x0) returned 0x0 [0079.565] IStream:RemoteSeek (in: This=0x4abd18, dlibMove=0x26, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0079.565] GlobalLock (hMem=0x204000c) returned 0x4ae538 [0079.565] ISequentialStream:RemoteRead (in: This=0x4abd18, pv=0x4ae538, cb=0x28, pcbRead=0x0 | out: pv=0x4ae538*=0x28, pcbRead=0x0) returned 0x0 [0079.565] ISequentialStream:RemoteRead (in: This=0x4abd18, pv=0x4ae560, cb=0x540, pcbRead=0x0 | out: pv=0x4ae560*=0x0, pcbRead=0x0) returned 0x0 [0079.565] GlobalUnlock (hMem=0x204000c) returned 0 [0079.566] GlobalLock (hMem=0x204000c) returned 0x4ae538 [0079.566] GlobalSize (hMem=0x204000c) returned 0x568 [0079.566] GetDC (hWnd=0x0) returned 0x10105d6 [0079.566] CreateCompatibleBitmap (hdc=0x10105d6, cx=32, cy=32) returned 0x1c050513 [0079.566] SelectObject (hdc=0x3f010542, h=0x1c050513) returned 0x85000f [0079.566] StretchDIBits (hdc=0x3f010542, xDest=0, yDest=0, DestWidth=32, DestHeight=32, xSrc=0, ySrc=0, SrcWidth=16, SrcHeight=16, lpBits=0x4ae960, lpbmi=0x4ae538, iUsage=0x0, rop=0xcc0020) returned 16 [0079.567] GetObjectA (in: h=0x1c050513, c=24, pv=0x19f9cc | out: pv=0x19f9cc) returned 24 [0079.567] GlobalLock (hMem=0x204001c) returned 0x4aeab0 [0079.567] GetBitmapBits (in: hbit=0x1c050513, cb=4096, lpvBits=0x4aeab0 | out: lpvBits=0x4aeab0) returned 4096 [0079.567] SelectObject (hdc=0x3f010542, h=0x85000f) returned 0x1c050513 [0079.567] DeleteObject (ho=0x1c050513) returned 1 [0079.568] CreateBitmap (nWidth=32, nHeight=32, nPlanes=0x1, nBitCount=0x1, lpBits=0x0) returned 0x1d050513 [0079.568] SelectObject (hdc=0x3f010542, h=0x1d050513) returned 0x85000f [0079.568] StretchDIBits (hdc=0x3f010542, xDest=0, yDest=0, DestWidth=32, DestHeight=32, xSrc=0, ySrc=0, SrcWidth=16, SrcHeight=16, lpBits=0x4aea60, lpbmi=0x4ae538, iUsage=0x0, rop=0xcc0020) returned 16 [0079.568] GetObjectA (in: h=0x1d050513, c=24, pv=0x19f9b4 | out: pv=0x19f9b4) returned 24 [0079.568] GlobalLock (hMem=0x2040024) returned 0x491a48 [0079.568] GetBitmapBits (in: hbit=0x1d050513, cb=128, lpvBits=0x491a48 | out: lpvBits=0x491a48) returned 128 [0079.568] CreateIcon (hInstance=0x400000, nWidth=32, nHeight=32, cPlanes=0x1, cBitsPixel=0x20, lpbANDbits=0x491a48, lpbXORbits=0x4aeab0) returned 0x70133 [0079.568] GlobalUnlock (hMem=0x204001c) returned 0 [0079.569] GlobalUnlock (hMem=0x2040024) returned 0 [0079.569] SelectObject (hdc=0x3f010542, h=0x85000f) returned 0x1d050513 [0079.569] DeleteObject (ho=0x1d050513) returned 1 [0079.569] ReleaseDC (hWnd=0x0, hDC=0x10105d6) returned 1 [0079.569] GlobalUnlock (hMem=0x204000c) returned 0 [0079.569] SendMessageA (hWnd=0x6002e, Msg=0x80, wParam=0x0, lParam=0x70133) returned 0x0 [0079.569] GetCapture () returned 0x0 [0079.569] GetCapture () returned 0x0 [0079.569] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x80, wParam=0x0, lParam=0x70133) returned 0x0 [0079.570] IUnknown:Release (This=0x4abd18) returned 0x0 [0079.570] CPicture::get_Type () returned 0x0 [0079.570] CPicture::get_Type () returned 0x0 [0079.570] CPicture::get_Width () returned 0x0 [0079.570] CPicture::get_Height () returned 0x0 [0079.599] IsIconic (hWnd=0x6002e) returned 0 [0079.599] IsZoomed (hWnd=0x6002e) returned 0 [0079.599] GetClientRect (in: hWnd=0x6002e, lpRect=0x19fbe4 | out: lpRect=0x19fbe4) returned 1 [0079.599] GetWindow (hWnd=0x6002e, uCmd=0x5) returned 0x0 [0079.599] GetCurrentThreadId () returned 0x1124 [0079.600] GetWindow (hWnd=0x6002e, uCmd=0x4) returned 0x202b6 [0079.600] IsIconic (hWnd=0x202b6) returned 0 [0079.600] MonitorFromWindow (hwnd=0x6002e, dwFlags=0x2) returned 0x10001 [0079.600] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x19fb38 | out: lpmi=0x19fb38) returned 1 [0079.600] GetWindowRect (in: hWnd=0x202b6, lpRect=0x19fb60 | out: lpRect=0x19fb60) returned 1 [0079.600] SetWindowPos (hWnd=0x6002e, hWndInsertAfter=0x0, X=556, Y=197, cx=0, cy=0, uFlags=0x15) returned 1 [0079.600] GetCapture () returned 0x0 [0079.600] GetCapture () returned 0x0 [0079.600] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x46, wParam=0x0, lParam=0x19fae4) returned 0x0 [0079.602] GetCapture () returned 0x0 [0079.602] GetCapture () returned 0x0 [0079.603] GetParent (hWnd=0x6002e) returned 0x0 [0079.603] GetWindowRect (in: hWnd=0x6002e, lpRect=0x19f688 | out: lpRect=0x19f688) returned 1 [0079.603] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x47, wParam=0x0, lParam=0x19fae4) returned 0x0 [0079.603] GetCapture () returned 0x0 [0079.603] GetCapture () returned 0x0 [0079.603] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x3, wParam=0x0, lParam=0xdf022f) returned 0x0 [0079.603] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 113967104 [0079.603] GetClientRect (in: hWnd=0x6002e, lpRect=0x19f6f8 | out: lpRect=0x19f6f8) returned 1 [0079.603] MapWindowPoints (in: hWndFrom=0x6002e, hWndTo=0x0, lpPoints=0x19f6f8, cPoints=0x2 | out: lpPoints=0x19f6f8) returned 14615087 [0079.610] GetCapture () returned 0x0 [0079.610] GetCapture () returned 0x0 [0079.610] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x70133 [0079.611] ShowWindow (hWnd=0x6002e, nCmdShow=1) returned 0 [0079.611] GetCapture () returned 0x0 [0079.611] GetCapture () returned 0x0 [0079.611] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0079.612] GetCapture () returned 0x0 [0079.612] GetCapture () returned 0x0 [0079.612] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x46, wParam=0x0, lParam=0x19fb34) returned 0x0 [0079.612] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x46, wParam=0x0, lParam=0x19fb34) returned 0x0 [0079.648] GetCapture () returned 0x0 [0079.648] GetCapture () returned 0x0 [0079.648] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x46, wParam=0x0, lParam=0x19fb34) returned 0x0 [0079.649] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x46, wParam=0x0, lParam=0x19fb34) returned 0x0 [0079.649] GetWindowLongA (hWnd=0x901f8, nIndex=0) returned 43392628 [0079.649] GetCapture () returned 0x0 [0079.649] GetCapture () returned 0x0 [0079.649] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0079.649] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0079.650] GetCapture () returned 0x0 [0079.650] GetCapture () returned 0x0 [0079.650] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0079.652] GetCapture () returned 0x0 [0079.652] GetCapture () returned 0x0 [0079.652] IsIconic (hWnd=0x6002e) returned 0 [0079.652] GetFocus () returned 0x0 [0079.653] GetFocus () returned 0x0 [0079.653] IsWindowEnabled (hWnd=0x6002e) returned 1 [0079.653] GetWindowThreadProcessId (in: hWnd=0x6002e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x1124 [0079.653] GetCurrentThreadId () returned 0x1124 [0079.653] SetFocus (hWnd=0x6002e) returned 0x0 [0079.775] GetCapture () returned 0x0 [0079.775] GetCapture () returned 0x0 [0079.775] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0079.805] GetCapture () returned 0x0 [0079.805] GetCapture () returned 0x0 [0079.805] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0079.806] GetCapture () returned 0x0 [0079.806] GetCapture () returned 0x0 [0079.806] IsIconic (hWnd=0x6002e) returned 0 [0079.806] GetFocus () returned 0x6002e [0079.806] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0079.806] IsWindowEnabled (hWnd=0x6002e) returned 1 [0079.806] PostMessageA (hWnd=0x6002e, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0079.806] IsIconic (hWnd=0x6002e) returned 0 [0079.806] PostMessageA (hWnd=0x6002e, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0079.806] PostMessageA (hWnd=0x6002e, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0079.806] GetCapture () returned 0x0 [0079.806] GetCapture () returned 0x0 [0079.806] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0079.808] GetCapture () returned 0x0 [0079.808] GetCapture () returned 0x0 [0079.808] IsIconic (hWnd=0x6002e) returned 0 [0079.808] IsIconic (hWnd=0x6002e) returned 0 [0079.808] GetCapture () returned 0x0 [0079.808] GetCapture () returned 0x0 [0079.808] GetParent (hWnd=0x6002e) returned 0x0 [0079.808] GetWindowRect (in: hWnd=0x6002e, lpRect=0x19f6d8 | out: lpRect=0x19f6d8) returned 1 [0079.808] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x47, wParam=0x0, lParam=0x19fb34) returned 0x0 [0079.808] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.808] GetClientRect (in: hWnd=0x6002e, lpRect=0x19f748 | out: lpRect=0x19f748) returned 1 [0079.809] MapWindowPoints (in: hWndFrom=0x6002e, hWndTo=0x0, lpPoints=0x19f748, cPoints=0x2 | out: lpPoints=0x19f748) returned 14615087 [0079.810] GetCapture () returned 0x0 [0079.810] GetCapture () returned 0x0 [0079.810] IsWindowVisible (hWnd=0x6002e) returned 1 [0079.810] IsIconic (hWnd=0x6002e) returned 0 [0079.810] IsZoomed (hWnd=0x6002e) returned 0 [0079.810] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x5, wParam=0x0, lParam=0x1dd0143) returned 0x0 [0079.810] GetClientRect (in: hWnd=0x6002e, lpRect=0x19f724 | out: lpRect=0x19f724) returned 1 [0079.810] GetWindow (hWnd=0x6002e, uCmd=0x5) returned 0x0 [0079.810] GetCapture () returned 0x0 [0079.810] GetCapture () returned 0x0 [0079.810] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x3, wParam=0x0, lParam=0xdf022f) returned 0x0 [0079.810] GetCurrentThreadId () returned 0x1124 [0079.810] PostThreadMessageA (idThread=0x1124, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0079.810] GetCurrentProcessId () returned 0x111c [0079.811] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x18) returned 0x296a650 [0079.811] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xc) returned 0x296b328 [0079.811] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.816] IsWindow (hWnd=0x6002e) returned 1 [0079.816] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.816] IsIconic (hWnd=0x6002e) returned 0 [0079.816] GetParent (hWnd=0x6002e) returned 0x0 [0079.816] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.816] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.816] GetCapture () returned 0x0 [0079.816] GetCapture () returned 0x0 [0079.816] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x31f, wParam=0x1, lParam=0x0) returned 0x0 [0079.816] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.817] IsWindow (hWnd=0x6002e) returned 1 [0079.817] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.817] IsIconic (hWnd=0x6002e) returned 0 [0079.817] GetParent (hWnd=0x6002e) returned 0x0 [0079.817] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.817] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.817] GetCapture () returned 0x0 [0079.817] GetCapture () returned 0x0 [0079.817] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.817] IsWindow (hWnd=0x6002e) returned 1 [0079.817] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.817] IsIconic (hWnd=0x6002e) returned 0 [0079.817] GetParent (hWnd=0x6002e) returned 0x0 [0079.817] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.817] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.817] GetCapture () returned 0x0 [0079.817] GetCapture () returned 0x0 [0079.817] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.818] IsWindow (hWnd=0x6002e) returned 1 [0079.818] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.818] IsIconic (hWnd=0x6002e) returned 0 [0079.818] GetParent (hWnd=0x6002e) returned 0x0 [0079.818] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.818] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.818] GetCapture () returned 0x0 [0079.818] GetCapture () returned 0x0 [0079.818] GetActiveWindow () returned 0x6002e [0079.818] GetWindowThreadProcessId (in: hWnd=0x6002e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x1124 [0079.818] GetFocus () returned 0x6002e [0079.818] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.818] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.818] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.818] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.819] GetCapture () returned 0x0 [0079.819] GetCapture () returned 0x0 [0079.819] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x84, wParam=0x0, lParam=0x126027b) returned 0x1 [0079.819] GetCapture () returned 0x0 [0079.819] GetCapture () returned 0x0 [0079.819] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x20, wParam=0x6002e, lParam=0x2000001) returned 0x0 [0079.819] IsWindow (hWnd=0x6002e) returned 1 [0079.819] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.819] IsIconic (hWnd=0x6002e) returned 0 [0079.819] GetCursorPos (in: lpPoint=0x19fdc4 | out: lpPoint=0x19fdc4*(x=635, y=294)) returned 1 [0079.819] WindowFromPoint (Point=0x27b) returned 0x6002e [0079.820] GetCapture () returned 0x0 [0079.820] GetCapture () returned 0x0 [0079.820] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x84, wParam=0x0, lParam=0x126027b) returned 0x1 [0079.820] ScreenToClient (in: hWnd=0x6002e, lpPoint=0x19fda4 | out: lpPoint=0x19fda4) returned 1 [0079.820] IsWindowEnabled (hWnd=0x6002e) returned 1 [0079.820] GetParent (hWnd=0x6002e) returned 0x0 [0079.820] PtInRect (lprc=0x19fd38, pt=0x4c) returned 0 [0079.820] GetParent (hWnd=0x6002e) returned 0x0 [0079.820] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.820] DispatchMessageA (lpMsg=0x19fe50) returned 0x0 [0079.820] GetCapture () returned 0x0 [0079.820] GetCapture () returned 0x0 [0079.820] IsWindowEnabled (hWnd=0x6002e) returned 1 [0079.820] GetParent (hWnd=0x6002e) returned 0x0 [0079.820] PtInRect (lprc=0x19fbf0, pt=0x4c) returned 0 [0079.820] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x200, wParam=0x0, lParam=0x47004c) returned 0x0 [0079.820] CreateWindowExA (dwExStyle=0x80, lpClassName="VBBubbleRT6", lpWindowName=0x0, dwStyle=0x80800000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x66000000, lpParam=0x0) returned 0x502aa [0079.821] NtdllDefWindowProc_A (hWnd=0x502aa, Msg=0x81, wParam=0x0, lParam=0x19f3e0) returned 0x1 [0079.821] NtdllDefWindowProc_A (hWnd=0x502aa, Msg=0x83, wParam=0x0, lParam=0x19f3cc) returned 0x0 [0079.821] NtdllDefWindowProc_A (hWnd=0x502aa, Msg=0x1, wParam=0x0, lParam=0x19f3e0) returned 0x0 [0079.822] NtdllDefWindowProc_A (hWnd=0x502aa, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0079.822] NtdllDefWindowProc_A (hWnd=0x502aa, Msg=0x3, wParam=0x0, lParam=0x10001) returned 0x0 [0079.822] SystemParametersInfoA (in: uiAction=0x29, uiParam=0x154, pvParam=0x19f868, fWinIni=0x0 | out: pvParam=0x19f868) returned 1 [0079.822] CreateFontIndirectA (lplf=0x19f944) returned 0x8d0a079d [0079.822] GetCapture () returned 0x0 [0079.822] GetActiveWindow () returned 0x6002e [0079.822] GetWindowLongA (hWnd=0x6002e, nIndex=-6) returned 1711276032 [0079.822] GetCursorPos (in: lpPoint=0x19f9d4 | out: lpPoint=0x19f9d4*(x=635, y=294)) returned 1 [0079.822] WindowFromPoint (Point=0x279) returned 0x6002e [0079.822] GetCapture () returned 0x0 [0079.822] GetCapture () returned 0x0 [0079.822] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x84, wParam=0x0, lParam=0x1240279) returned 0x1 [0079.822] ScreenToClient (in: hWnd=0x6002e, lpPoint=0x19f9d4 | out: lpPoint=0x19f9d4) returned 1 [0079.822] GetKeyState (nVirtKey=2) returned 0 [0079.823] GetKeyState (nVirtKey=4) returned 0 [0079.823] GetKeyState (nVirtKey=1) returned 0 [0079.823] GetKeyState (nVirtKey=17) returned 0 [0079.823] GetKeyState (nVirtKey=18) returned 0 [0079.823] GetKeyState (nVirtKey=16) returned 0 [0079.823] PeekMessageA (in: lpMsg=0x19fe50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x19fe50) returned 1 [0079.823] IsWindow (hWnd=0x6002e) returned 1 [0079.823] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 382402560 [0079.823] IsIconic (hWnd=0x6002e) returned 0 [0079.823] GetParent (hWnd=0x6002e) returned 0x0 [0079.823] TranslateMessage (lpMsg=0x19fe50) returned 0 [0079.823] DispatchMessageA (lpMsg=0x19fe50) [0079.823] GetCapture () returned 0x0 [0079.823] GetCapture () returned 0x0 [0079.823] IsIconic (hWnd=0x6002e) returned 0 [0079.823] CreateRectRgn (x1=0, y1=0, x2=0, y2=0) returned 0x8204065f [0079.823] GetUpdateRgn (hWnd=0x6002e, hRgn=0x8204065f, bErase=0) returned 2 [0079.823] CreateRectRgn (x1=0, y1=0, x2=0, y2=0) returned 0x3c04065e [0079.823] SetRectRgn (hrgn=0x3c04065e, left=27, top=88, right=491, bottom=1001) returned 1 [0079.823] CombineRgn (hrgnDst=0x8204065f, hrgnSrc1=0x8204065f, hrgnSrc2=0x3c04065e, iMode=4) returned 3 [0079.823] DeleteObject (ho=0x3c04065e) returned 1 [0079.823] DeleteObject (ho=0x8204065f) returned 1 [0079.823] GetUpdateRect (in: hWnd=0x6002e, lpRect=0x19fb14, bErase=0 | out: lpRect=0x19fb14) returned 1 [0079.824] BeginPaint (in: hWnd=0x6002e, lpPaint=0x19fab8 | out: lpPaint=0x19fab8) returned 0x91010795 [0079.824] IsIconic (hWnd=0x6002e) returned 0 [0079.824] IsIconic (hWnd=0x6002e) returned 0 [0079.824] GetClientRect (in: hWnd=0x6002e, lpRect=0x19f8b0 | out: lpRect=0x19f8b0) returned 1 [0079.824] OleTranslateColor () returned 0x0 [0079.824] OleTranslateColor () returned 0x0 [0079.824] CreateSolidBrush (color=0xf0f0f0) returned 0x31100783 [0079.824] OleTranslateColor () returned 0x0 [0079.824] OleTranslateColor () returned 0x0 [0079.824] SetTextColor (hdc=0x91010795, color=0x0) returned 0x0 [0079.824] SetBkColor (hdc=0x91010795, color=0xf0f0f0) returned 0xf0f0f0 [0079.824] FillRect (hDC=0x91010795, lprc=0x19f8b0, hbr=0x31100783) returned 1 [0079.824] SetTextColor (hdc=0x91010795, color=0x0) returned 0x0 [0079.824] SetBkColor (hdc=0x91010795, color=0xf0f0f0) returned 0xf0f0f0 [0079.825] EndPaint (hWnd=0x6002e, lpPaint=0x19fab8) returned 1 [0079.827] GetLocalTime (in: lpSystemTime=0x19f560 | out: lpSystemTime=0x19f560*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.827] VarDateFromUdate (in: pudateIn=0x19f584, dwFlags=0x0, pdateOut=0x19f560 | out: pdateOut=0x19f560) returned 0x0 [0079.838] GetUserDefaultLCID () returned 0x409 [0079.838] VarDateFromStr (in: strIn="5/10/2020", lcid=0x409, dwFlags=0x2, pdateOut=0x19f5d0 | out: pdateOut=0x19f5d0) returned 0x0 [0079.838] GetLocalTime (in: lpSystemTime=0x19f560 | out: lpSystemTime=0x19f560*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.838] VarDateFromUdate (in: pudateIn=0x19f584, dwFlags=0x0, pdateOut=0x19f560 | out: pdateOut=0x19f560) returned 0x0 [0079.838] VarCmp (pvarLeft=0x19f684, pvarRight=0x19f674, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.839] GetUserDefaultLCID () returned 0x409 [0079.839] VarR8FromStr (in: strIn="2", lcid=0x409, dwFlags=0x0, pdblOut=0x19f5d4 | out: pdblOut=0x19f5d4) returned 0x0 [0079.839] GetLocalTime (in: lpSystemTime=0x19f5b8 | out: lpSystemTime=0x19f5b8*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.840] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xfc) returned 0x2813710 [0079.840] GetCurrentThreadId () returned 0x1124 [0079.840] GetCurrentThreadId () returned 0x1124 [0079.840] GetCurrentThreadId () returned 0x1124 [0079.840] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x296b1f0 [0079.841] SetWindowTextA (hWnd=0x202b6, lpString="FLOCKLESS") returned 1 [0079.841] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0xc, wParam=0x0, lParam=0x296b1f0) returned 0x1 [0079.841] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x1) returned 0x296efc0 [0079.841] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x296b370 [0079.841] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xa) returned 0x296b220 [0079.841] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x15) returned 0x296a570 [0079.841] GetLocalTime (in: lpSystemTime=0x19f460 | out: lpSystemTime=0x19f460*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.841] VarDateFromUdate (in: pudateIn=0x19f484, dwFlags=0x0, pdateOut=0x19f460 | out: pdateOut=0x19f460) returned 0x0 [0079.841] GetUserDefaultLCID () returned 0x409 [0079.842] VarDateFromStr (in: strIn="5/10/2020", lcid=0x409, dwFlags=0x2, pdateOut=0x19f4d0 | out: pdateOut=0x19f4d0) returned 0x0 [0079.842] GetLocalTime (in: lpSystemTime=0x19f460 | out: lpSystemTime=0x19f460*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.842] VarDateFromUdate (in: pudateIn=0x19f484, dwFlags=0x0, pdateOut=0x19f460 | out: pdateOut=0x19f460) returned 0x0 [0079.842] VarCmp (pvarLeft=0x19f540, pvarRight=0x19f530, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.842] GetUserDefaultLCID () returned 0x409 [0079.842] VarR8FromStr (in: strIn="2", lcid=0x409, dwFlags=0x0, pdblOut=0x19f4d4 | out: pdblOut=0x19f4d4) returned 0x0 [0079.842] GetLocalTime (in: lpSystemTime=0x19f4b8 | out: lpSystemTime=0x19f4b8*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x68)) [0079.842] GetUserDefaultLCID () returned 0x409 [0079.842] VarR4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, pfltOut=0x19f4d8 | out: pfltOut=0x19f4d8) returned 0x0 [0079.848] VarBstrCmp (bstrLeft="AA", bstrRight="AA", lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.848] GetUserDefaultLCID () returned 0x409 [0079.848] VarDateFromStr (in: strIn="17:17:17", lcid=0x409, dwFlags=0x1, pdateOut=0x19f4d0 | out: pdateOut=0x19f4d0) returned 0x0 [0079.849] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19f3c0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0079.849] lstrcpynA (in: lpString1=0x19f2ac, lpString2="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", iMaxLength=260 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe") returned="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" [0079.849] lstrlenA (lpString="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe") returned 42 [0079.849] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2b) returned 0x2813818 [0079.849] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x2b) returned 0x2813850 [0079.849] lstrcpyA (in: lpString1=0x2813818, lpString2="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe") returned="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" [0079.851] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xf) returned 0x296b208 [0079.851] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813850 | out: hHeap=0x2960000) returned 1 [0079.851] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813818 | out: hHeap=0x2960000) returned 1 [0079.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296b208, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0079.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296b208, cbMultiByte=-1, lpWideCharStr=0x4aa424, cchWideChar=15 | out: lpWideCharStr="BUDDINGPULVERS") returned 15 [0079.851] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x296b208 | out: hHeap=0x2960000) returned 1 [0079.852] CFont::get_Name () returned 0x0 [0079.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MS Sans Serif", cchWideChar=-1, lpMultiByteStr=0x19f494, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS Sans Serif", lpUsedDefaultChar=0x0) returned 14 [0079.852] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0xe) returned 0x296b208 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296b208, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296b208, cbMultiByte=-1, lpWideCharStr=0x4ab9d4, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0079.852] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x296b208 | out: hHeap=0x2960000) returned 1 [0079.852] VarBstrCmp (bstrLeft="MS Sans Serif", bstrRight=0x0, lcid=0x0, dwFlags=0x30001) returned 0x2 [0079.853] VarUdateFromDate (in: dateIn=0x75f31aed, dwFlags=0x3fe2fba3, pudateOut=0x0 | out: pudateOut=0x0) returned 0x0 [0079.853] VarCmp (pvarLeft=0x19f578, pvarRight=0x19f538, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.853] VarDateFromUdate (in: pudateIn=0x19f4b8, dwFlags=0x0, pdateOut=0x19f494 | out: pdateOut=0x19f494) returned 0x0 [0079.853] LoadStringA (in: hInstance=0x66000000, uID=0x2718, lpBuffer=0x19f2a8, cchBufferMax=500 | out: lpBuffer="Out of string space") returned 0x13 [0079.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f2a8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 20 [0079.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f2a8, cbMultiByte=-1, lpWideCharStr=0x4aa424, cchWideChar=20 | out: lpWideCharStr="Out of string space") returned 20 [0079.857] VarCmp (pvarLeft=0x19f578, pvarRight=0x19f568, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.857] GetUserDefaultLCID () returned 0x409 [0079.857] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x19f438, cchData=6 | out: lpLCData="1252") returned 5 [0079.857] SysStringLen (param_1="a") returned 0x1 [0079.857] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0079.857] SysStringLen (param_1="a") returned 0x1 [0079.857] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=2, lpMultiByteStr=0x4abaec, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="a", lpUsedDefaultChar=0x0) returned 2 [0079.857] LCMapStringA (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="a", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0079.857] LCMapStringA (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="a", cchSrc=1, lpDestStr=0x4aba4c, cchDest=1 | out: lpDestStr="a") returned 1 [0079.858] SysStringByteLen (bstr="a") returned 0x1 [0079.863] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x4aba4c, cbMultiByte=1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1 [0079.864] SysStringByteLen (bstr="a") returned 0x1 [0079.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x4aba4c, cbMultiByte=2, lpWideCharStr=0x4b075c, cchWideChar=3 | out: lpWideCharStr="a") returned 2 [0079.864] LCMapStringW (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="a", cchSrc=1, lpDestStr=0x4b075c, cchDest=1 | out: lpDestStr="A") returned 1 [0079.864] VarCmp (pvarLeft=0x19f578, pvarRight=0x19f528, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.864] GetLocalTime (in: lpSystemTime=0x19f46c | out: lpSystemTime=0x19f46c*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x88)) [0079.864] VarDateFromUdate (in: pudateIn=0x19f490, dwFlags=0x0, pdateOut=0x19f46c | out: pdateOut=0x19f46c) returned 0x0 [0079.864] GetLocalTime (in: lpSystemTime=0x19f46c | out: lpSystemTime=0x19f46c*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x88)) [0079.864] VarDateFromUdate (in: pudateIn=0x19f490, dwFlags=0x0, pdateOut=0x19f46c | out: pdateOut=0x19f46c) returned 0x0 [0079.864] VarAdd (in: pvarLeft=0x19f578, pvarRight=0x19f538, pvarResult=0x19f568 | out: pvarResult=0x19f568) returned 0x0 [0079.866] VarUdateFromDate (in: dateIn=0x0, dwFlags=0x40e57720, pudateOut=0x0 | out: pudateOut=0x0) returned 0x0 [0079.866] VarUdateFromDate (in: dateIn=0x0, dwFlags=0x40e57740, pudateOut=0x0 | out: pudateOut=0x0) returned 0x0 [0079.866] GetUserDefaultLCID () returned 0x409 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="y", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="yy") returned 1 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="d", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="dd") returned 1 [0079.866] GetUserDefaultLCID () returned 0x409 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="y", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="yy") returned 1 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="d", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="dd") returned 1 [0079.866] GetUserDefaultLCID () returned 0x409 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="m", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="mm") returned 1 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="d", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="dd") returned 1 [0079.866] GetUserDefaultLCID () returned 0x409 [0079.866] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="d", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="dd") returned 1 [0079.867] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="d", cchSrc=1, lpDestStr=0x19f412, cchDest=1 | out: lpDestStr="dd") returned 1 [0079.867] VarCmp (pvarLeft=0x19f558, pvarRight=0x19f528, lcid=0x0, dwFlags=0x30001) returned 0x1 [0079.867] LoadLibraryA (lpLibFileName="VERSION.DLL") returned 0x74240000 [0080.028] GetLastError () returned 0x0 [0080.028] GetProcAddress (hModule=0x74240000, lpProcName="VerQueryValueA") returned 0x742414f0 [0080.028] GetProcAddress (hModule=0x74240000, lpProcName="GetFileVersionInfoSizeA") returned 0x742414d0 [0080.028] GetProcAddress (hModule=0x74240000, lpProcName="GetFileVersionInfoA") returned 0x742414b0 [0080.028] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19f30c, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0080.028] GetFileVersionInfoSizeA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", lpdwHandle=0x19f44c | out: lpdwHandle=0x19f44c) returned 0x534 [0080.029] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x534) returned 0x2813818 [0080.029] GetFileVersionInfoA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", dwHandle=0x0, dwLen=0x534, lpData=0x2813818 | out: lpData=0x2813818) returned 1 [0080.029] VerQueryValueA (in: pBlock=0x2813818, lpSubBlock="\\", lplpBuffer=0x19f450, puLen=0x19f454 | out: lplpBuffer=0x19f450*=0x2813840, puLen=0x19f454) returned 1 [0080.029] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813818 | out: hHeap=0x2960000) returned 1 [0080.029] GetLocalTime (in: lpSystemTime=0x19f4e4 | out: lpSystemTime=0x19f4e4*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x133)) [0080.029] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f518, cbMultiByte=8, lpWideCharStr=0x4abaec, cchWideChar=8 | out: lpWideCharStr="01:27:12") returned 8 [0080.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Add", cchWideChar=-1, lpMultiByteStr=0x19f478, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Add", lpUsedDefaultChar=0x0) returned 4 [0080.030] lstrcmpiA (lpString1="Add", lpString2="Add") returned 0 [0080.047] DispGetParam (in: pdispparams=0x19f4bc, position=0x0, vtTarg=0x8, pvarResult=0x19f3c8, puArgErr=0x19f4cc | out: pvarResult=0x19f3c8, puArgErr=0x19f4cc) returned 0x0 [0080.047] DispGetParam (in: pdispparams=0x19f4bc, position=0x1, vtTarg=0x8, pvarResult=0x19f3b8, puArgErr=0x19f4cc | out: pvarResult=0x19f3b8, puArgErr=0x19f4cc) returned 0x0 [0080.047] SysStringLen (param_1="VB.HscrollBar") returned 0xd [0080.047] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ebdo9nXnL6jVzD23w1xQul7Jdf224", cchWideChar=-1, lpMultiByteStr=0x19f360, cbMultiByte=59, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ebdo9nXnL6jVzD23w1xQul7Jdf224", lpUsedDefaultChar=0x0) returned 30 [0080.047] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VB.HscrollBar", cchWideChar=-1, lpMultiByteStr=0x19f344, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VB.HscrollBar", lpUsedDefaultChar=0x0) returned 14 [0080.047] lstrlenA (lpString="ebdo9nXnL6jVzD23w1xQul7Jdf224") returned 29 [0080.047] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x434) returned 0x2813818 [0080.048] GetCurrentThreadId () returned 0x1124 [0080.048] lstrcmpiA (lpString1="VB.HScrollBar", lpString2="VB.HscrollBar") returned 0 [0080.048] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0xe8) returned 0x2813c58 [0080.048] lstrlenA (lpString="ebdo9nXnL6jVzD23w1xQul7Jdf224") returned 29 [0080.048] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x33) returned 0x2813d48 [0080.048] lstrcpyA (in: lpString1=0x2813d5d, lpString2="ebdo9nXnL6jVzD23w1xQul7Jdf224" | out: lpString1="ebdo9nXnL6jVzD23w1xQul7Jdf224") returned="ebdo9nXnL6jVzD23w1xQul7Jdf224" [0080.048] GetSystemMetrics (nIndex=21) returned 17 [0080.048] GetSystemMetrics (nIndex=3) returned 17 [0080.048] lstrlenA (lpString="ThunderRT6") returned 10 [0080.048] lstrcpyA (in: lpString1=0x19f1f8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0080.048] lstrlenA (lpString="ThunderRT6") returned 10 [0080.048] lstrcpyA (in: lpString1=0x19f18c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0080.048] GetClassInfoA (in: hInstance=0x0, lpClassName="Scrollbar", lpWndClass=0x19f1b8 | out: lpWndClass=0x19f1b8) returned 1 [0080.048] GetClassInfoA (in: hInstance=0x66000000, lpClassName="ThunderRT6HScrollBar", lpWndClass=0x19f1b8 | out: lpWndClass=0x19f1b8) returned 0 [0080.049] RegisterClassA (lpWndClass=0x19f1b8) returned 0xc19d [0080.049] CreateWindowExA (dwExStyle=0x4, lpClassName=0xc19d, lpWindowName=0x0, dwStyle=0x44010000, X=0, Y=0, nWidth=85, nHeight=17, hWndParent=0x6002e, hMenu=0x1, hInstance=0x66000000, lpParam=0x0) returned 0x18001c [0080.049] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x81, wParam=0x0, lParam=0x19ed68) returned 0x1 [0080.051] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x83, wParam=0x0, lParam=0x19ed54) returned 0x0 [0080.051] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x1, wParam=0x0, lParam=0x19ed68) returned 0x0 [0080.051] SetScrollRange (hWnd=0x18001c, nBar=2, nMinPos=0, nMaxPos=32767, bRedraw=0) returned 1 [0080.051] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0xe9, wParam=0x0, lParam=0x19e9ac) returned 0x0 [0080.052] GetScrollPos (hWnd=0x18001c, nBar=2) returned 0 [0080.052] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0xe1, wParam=0x0, lParam=0x0) returned 0x0 [0080.052] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0xe9, wParam=0x1, lParam=0x19eaa8) returned 0x0 [0080.052] OleTranslateColor () returned 0x0 [0080.052] OleTranslateColor () returned 0x0 [0080.052] SetTextColor (hdc=0x10105d6, color=0x0) returned 0x0 [0080.052] SetBkColor (hdc=0x10105d6, color=0xffffff) returned 0xffffff [0080.052] OleTranslateColor () returned 0x0 [0080.053] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x5, wParam=0x0, lParam=0x110055) returned 0x0 [0080.053] GetFocus () returned 0x6002e [0080.053] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0080.054] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Left", cchWideChar=-1, lpMultiByteStr=0x19f49c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Left", lpUsedDefaultChar=0x0) returned 5 [0080.054] lstrcmpiA (lpString1="Left", lpString2="Left") returned 0 [0080.054] GetParent (hWnd=0x18001c) returned 0x6002e [0080.054] MonitorFromWindow (hwnd=0x18001c, dwFlags=0x2) returned 0x10001 [0080.054] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x19f19c | out: lpmi=0x19f19c) returned 1 [0080.054] GetParent (hWnd=0x18001c) returned 0x6002e [0080.054] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19f19c | out: lpRect=0x19f19c) returned 1 [0080.054] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19f19c, cPoints=0x2 | out: lpPoints=0x19f19c) returned -14549551 [0080.055] MoveWindow (hWnd=0x18001c, X=1550, Y=0, nWidth=85, nHeight=17, bRepaint=1) returned 1 [0080.055] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x46, wParam=0x0, lParam=0x19f13c) returned 0x0 [0080.055] GetParent (hWnd=0x18001c) returned 0x6002e [0080.055] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19ee38 | out: lpRect=0x19ee38) returned 1 [0080.055] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19ee38, cPoints=0x2 | out: lpPoints=0x19ee38) returned -14549551 [0080.055] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x47, wParam=0x0, lParam=0x19f13c) returned 0x0 [0080.055] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x3, wParam=0x0, lParam=0x60e) returned 0x0 [0080.055] GetParent (hWnd=0x18001c) returned 0x6002e [0080.055] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19f19c | out: lpRect=0x19f19c) returned 1 [0080.055] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19f19c, cPoints=0x2 | out: lpPoints=0x19f19c) returned -14549551 [0080.055] EnableWindow (hWnd=0x18001c, bEnable=1) returned 0 [0080.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Top", cchWideChar=-1, lpMultiByteStr=0x19f4a0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Top", lpUsedDefaultChar=0x0) returned 4 [0080.056] lstrcmpiA (lpString1="Top", lpString2="Top") returned 0 [0080.056] GetParent (hWnd=0x18001c) returned 0x6002e [0080.056] MonitorFromWindow (hwnd=0x18001c, dwFlags=0x2) returned 0x10001 [0080.056] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x19f19c | out: lpmi=0x19f19c) returned 1 [0080.056] GetParent (hWnd=0x18001c) returned 0x6002e [0080.056] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19f19c | out: lpRect=0x19f19c) returned 1 [0080.056] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19f19c, cPoints=0x2 | out: lpPoints=0x19f19c) returned -14549551 [0080.056] MoveWindow (hWnd=0x18001c, X=1550, Y=860, nWidth=85, nHeight=17, bRepaint=1) returned 1 [0080.056] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x46, wParam=0x0, lParam=0x19f13c) returned 0x0 [0080.056] GetParent (hWnd=0x18001c) returned 0x6002e [0080.056] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19ee38 | out: lpRect=0x19ee38) returned 1 [0080.056] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19ee38, cPoints=0x2 | out: lpPoints=0x19ee38) returned -14549551 [0080.056] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x47, wParam=0x0, lParam=0x19f13c) returned 0x0 [0080.056] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x3, wParam=0x0, lParam=0x35c060e) returned 0x0 [0080.057] GetParent (hWnd=0x18001c) returned 0x6002e [0080.057] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19f19c | out: lpRect=0x19f19c) returned 1 [0080.057] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19f19c, cPoints=0x2 | out: lpPoints=0x19f19c) returned -14549551 [0080.057] EnableWindow (hWnd=0x18001c, bEnable=1) returned 0 [0080.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Visible", cchWideChar=-1, lpMultiByteStr=0x19f498, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Visible", lpUsedDefaultChar=0x0) returned 8 [0080.057] lstrcmpiA (lpString1="Visible", lpString2="Visible") returned 0 [0080.057] GetFocus () returned 0x6002e [0080.057] ShowWindow (hWnd=0x18001c, nCmdShow=5) returned 0 [0080.057] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0080.057] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x46, wParam=0x0, lParam=0x19f1fc) returned 0x0 [0080.058] GetParent (hWnd=0x18001c) returned 0x6002e [0080.058] GetWindowRect (in: hWnd=0x18001c, lpRect=0x19eef8 | out: lpRect=0x19eef8) returned 1 [0080.058] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0x6002e, lpPoints=0x19eef8, cPoints=0x2 | out: lpPoints=0x19eef8) returned -14549551 [0080.058] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x47, wParam=0x0, lParam=0x19f1fc) returned 0x0 [0080.058] GetActiveWindow () returned 0x6002e [0080.058] GetWindowThreadProcessId (in: hWnd=0x6002e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x1124 [0080.058] GetFocus () returned 0x6002e [0080.058] GetWindowLongA (hWnd=0x18001c, nIndex=-16) returned 1409351680 [0080.058] IsWindowVisible (hWnd=0x18001c) returned 1 [0080.058] IsWindowEnabled (hWnd=0x18001c) returned 1 [0080.058] GetParent (hWnd=0x18001c) returned 0x6002e [0080.058] IsWindowEnabled (hWnd=0x6002e) returned 1 [0080.058] GetParent (hWnd=0x6002e) returned 0x0 [0080.058] GetFocus () returned 0x6002e [0080.058] IsWindowEnabled (hWnd=0x18001c) returned 1 [0080.058] GetWindowThreadProcessId (in: hWnd=0x18001c, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x1124 [0080.058] GetCurrentThreadId () returned 0x1124 [0080.058] SetFocus (hWnd=0x18001c) returned 0x6002e [0080.058] GetCapture () returned 0x0 [0080.059] GetCapture () returned 0x0 [0080.059] IsWindowVisible (hWnd=0x502aa) returned 0 [0080.059] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x8, wParam=0x18001c, lParam=0x0) returned 0x0 [0080.061] GetCapture () returned 0x0 [0080.061] GetCapture () returned 0x0 [0080.061] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0080.063] IsWindowVisible (hWnd=0x502aa) returned 0 [0080.063] CallWindowProcA (lpPrevWndFunc=0x779f5600, hWnd=0x18001c, Msg=0x7, wParam=0x6002e, lParam=0x0) returned 0x0 [0080.063] IsWindowEnabled (hWnd=0x6002e) returned 1 [0080.063] PostMessageA (hWnd=0x6002e, Msg=0x100e, wParam=0x12, lParam=0x0) returned 1 [0080.063] IsIconic (hWnd=0x6002e) returned 0 [0080.063] PostMessageA (hWnd=0x18001c, Msg=0x100e, wParam=0x3, lParam=0x0) returned 1 [0080.063] EnableWindow (hWnd=0x18001c, bEnable=1) returned 0 [0080.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Left", cchWideChar=-1, lpMultiByteStr=0x19f4a0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Left", lpUsedDefaultChar=0x0) returned 5 [0080.063] lstrcmpiA (lpString1="Left", lpString2="Left") returned 0 [0080.063] GetParent (hWnd=0x18001c) returned 0x6002e [0080.063] VarCmp (pvarLeft=0x19f584, pvarRight=0x19f564, lcid=0x0, dwFlags=0x30001) returned 0x2 [0080.064] VarBstrCmp (bstrLeft="Double", bstrRight="Double", lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.064] VarUdateFromDate (in: dateIn=0x0, dwFlags=0x40e35e80, pudateOut=0x0 | out: pudateOut=0x0) returned 0x0 [0080.064] VarCmp (pvarLeft=0x19f574, pvarRight=0x19f554, lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.064] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x8, Size=0x1c) returned 0x2813d88 [0080.064] VarBstrCmp (bstrLeft="C", bstrRight="C", lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.064] VarFormatCurrency (in: pvarIn=0x19f584, iNumDig=-1, iIncLead=-2, iUseParens=-2, iGroup=-2, dwFlags=0x0, pbstrOut=0x19f504 | out: pbstrOut=0x19f504*="$1.00") returned 0x0 [0080.065] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19f33c, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0080.065] GetFileVersionInfoSizeA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", lpdwHandle=0x19f47c | out: lpdwHandle=0x19f47c) returned 0x534 [0080.066] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x534) returned 0x2813db0 [0080.066] GetFileVersionInfoA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", dwHandle=0x0, dwLen=0x534, lpData=0x2813db0 | out: lpData=0x2813db0) returned 1 [0080.066] VerQueryValueA (in: pBlock=0x2813db0, lpSubBlock="\\", lplpBuffer=0x19f480, puLen=0x19f484 | out: lplpBuffer=0x19f480*=0x2813dd8, puLen=0x19f484) returned 1 [0080.066] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813db0 | out: hHeap=0x2960000) returned 1 [0080.066] GetLocalTime (in: lpSystemTime=0x19f49c | out: lpSystemTime=0x19f49c*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x157)) [0080.066] VarDateFromUdate (in: pudateIn=0x19f4c0, dwFlags=0x0, pdateOut=0x19f49c | out: pdateOut=0x19f49c) returned 0x0 [0080.066] GetUserDefaultLCID () returned 0x409 [0080.066] VarDateFromStr (in: strIn="5/10/2020", lcid=0x409, dwFlags=0x2, pdateOut=0x19f50c | out: pdateOut=0x19f50c) returned 0x0 [0080.066] GetLocalTime (in: lpSystemTime=0x19f49c | out: lpSystemTime=0x19f49c*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x157)) [0080.066] VarDateFromUdate (in: pudateIn=0x19f4c0, dwFlags=0x0, pdateOut=0x19f49c | out: pdateOut=0x19f49c) returned 0x0 [0080.066] VarCmp (pvarLeft=0x19f588, pvarRight=0x19f578, lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.066] GetUserDefaultLCID () returned 0x409 [0080.066] VarR8FromStr (in: strIn="2", lcid=0x409, dwFlags=0x0, pdblOut=0x19f510 | out: pdblOut=0x19f510) returned 0x0 [0080.066] GetLocalTime (in: lpSystemTime=0x19f4f4 | out: lpSystemTime=0x19f4f4*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x0, wDay=0xa, wHour=0x1, wMinute=0x1b, wSecond=0xc, wMilliseconds=0x157)) [0080.066] GetUserDefaultLCID () returned 0x409 [0080.066] VarR4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, pfltOut=0x19f518 | out: pfltOut=0x19f518) returned 0x0 [0080.067] VarBstrCmp (bstrLeft="AA", bstrRight="AA", lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.067] GetUserDefaultLCID () returned 0x409 [0080.067] VarDateFromStr (in: strIn="17:17:17", lcid=0x409, dwFlags=0x1, pdateOut=0x19f510 | out: pdateOut=0x19f510) returned 0x0 [0080.068] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", cchWideChar=-1, lpMultiByteStr=0x19ef60, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", lpUsedDefaultChar=0x0) returned 40 [0080.068] GetFullPathNameA (in: lpFileName="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", nBufferLength=0x104, lpBuffer=0x19f19c, lpFilePart=0x19ef58 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", lpFilePart=0x19ef58*="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10") returned 0x3f [0080.068] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", cchWideChar=-1, lpMultiByteStr=0x19f3e8, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", lpUsedDefaultChar=0x0) returned 40 [0080.068] FindFirstFileA (in: lpFileName="cJmUluFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", lpFindFileData=0x19ef38 | out: lpFindFileData=0x19ef38*(dwFileAttributes=0x19ef58, ftCreationTime.dwLowDateTime=0x490b08, ftCreationTime.dwHighDateTime=0x19f574, ftLastAccessTime.dwLowDateTime=0x19f068, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x660d6647, ftLastWriteTime.dwHighDateTime=0x19f19c, nFileSizeHigh=0x19ef60, nFileSizeLow=0x19f1b4, dwReserved0=0x1, dwReserved1=0x556d4a63, cFileName="luFsyAqmE9vYonG95Y9hhPvIN2Og1233n10", cAlternateFileName="\x10ô\x19")) returned 0xffffffff [0080.069] GetLastError () returned 0x2 [0080.069] GetLastError () returned 0x2 [0080.069] SetLastError (dwErrCode=0x2) [0080.069] GetLastError () returned 0x2 [0080.069] SetLastError (dwErrCode=0x2) [0080.069] VarCmp (pvarLeft=0x19f580, pvarRight=0x19f560, lcid=0x0, dwFlags=0x30001) returned 0x1 [0080.069] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19f33c, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\buddingpulvers.exe")) returned 0x2a [0080.069] GetFileVersionInfoSizeA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", lpdwHandle=0x19f47c | out: lpdwHandle=0x19f47c) returned 0x534 [0080.069] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x534) returned 0x2813db0 [0080.069] GetFileVersionInfoA (in: lptstrFilename="C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe", dwHandle=0x0, dwLen=0x534, lpData=0x2813db0 | out: lpData=0x2813db0) returned 1 [0080.070] VerQueryValueA (in: pBlock=0x2813db0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x19f474, puLen=0x19f484 | out: lplpBuffer=0x19f474*=0x2813e4c, puLen=0x19f484) returned 1 [0080.070] wsprintfA (in: param_1=0x19f440, param_2="\\StringFileInfo\\%04x%04x\\%s" | out: param_1="\\StringFileInfo\\000004b0\\CompanyName") returned 36 [0080.070] VerQueryValueA (in: pBlock=0x2813db0, lpSubBlock="\\StringFileInfo\\000004b0\\CompanyName", lplpBuffer=0x19f478, puLen=0x19f484 | out: lplpBuffer=0x19f478*=0x281416c, puLen=0x19f484) returned 1 [0080.070] RtlAllocateHeap (HeapHandle=0x2960000, Flags=0x0, Size=0x7) returned 0x296efd0 [0080.070] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x2813db0 | out: hHeap=0x2960000) returned 1 [0080.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296efd0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0080.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296efd0, cbMultiByte=-1, lpWideCharStr=0x4abb64, cchWideChar=6 | out: lpWideCharStr="Smart") returned 6 [0080.070] HeapFree (in: hHeap=0x2960000, dwFlags=0x0, lpMem=0x296efd0 | out: hHeap=0x2960000) returned 1 [0080.070] GetCurrentDirectoryA (in: nBufferLength=0x104, lpBuffer=0x19f2e4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0080.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f418, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f418, cbMultiByte=-1, lpWideCharStr=0x4962dc, cchWideChar=24 | out: lpWideCharStr="C:\\Users\\FD1HVy\\Desktop") returned 24 [0080.070] VarBstrCmp (bstrLeft="C:\\Users\\FD1HVy\\Desktop", bstrRight="AVHYE173", lcid=0x0, dwFlags=0x30001) returned 0x2 [0080.070] VarFormatCurrency (in: pvarIn=0x19f588, iNumDig=-1, iIncLead=-2, iUseParens=-2, iGroup=-2, dwFlags=0x0, pbstrOut=0x19f544 | out: pbstrOut=0x19f544*="$1.00") returned 0x0 [0080.070] VarMonthName (in: iMonth=1, fAbbrev=0, dwFlags=0x0, pbstrOut=0x19f550 | out: pbstrOut=0x19f550*="January") returned 0x0 [0080.071] SafeArrayCopy (in: psa=0x493970, ppsaOut=0x19f590 | out: ppsaOut=0x19f590) returned 0x0 [0080.071] SafeArrayDestroyDescriptor (psa=0x4939a0) returned 0x0 [0080.071] IsWindowVisible (hWnd=0x6002e) returned 1 [0080.071] IsIconic (hWnd=0x6002e) returned 0 [0080.071] IsZoomed (hWnd=0x6002e) returned 0 [0080.071] ShowWindow (hWnd=0x6002e, nCmdShow=0) returned 1 [0080.071] GetCapture () returned 0x0 [0080.071] GetCapture () returned 0x0 [0080.072] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0080.072] GetCapture () returned 0x0 [0080.072] GetCapture () returned 0x0 [0080.072] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x46, wParam=0x0, lParam=0x19f16c) returned 0x0 [0080.072] NtdllDefWindowProc_A (hWnd=0x202b6, Msg=0x46, wParam=0x0, lParam=0x19f16c) returned 0x0 [0080.075] GetCapture () returned 0x0 [0080.075] GetCapture () returned 0x0 [0080.075] GetParent (hWnd=0x6002e) returned 0x0 [0080.075] GetWindowRect (in: hWnd=0x6002e, lpRect=0x19ed10 | out: lpRect=0x19ed10) returned 1 [0080.075] NtdllDefWindowProc_A (hWnd=0x6002e, Msg=0x47, wParam=0x0, lParam=0x19f16c) returned 0x0 [0080.075] GetWindowLongA (hWnd=0x6002e, nIndex=-16) returned 113967104 [0080.075] GetClientRect (in: hWnd=0x6002e, lpRect=0x19ed80 | out: lpRect=0x19ed80) returned 1 [0080.075] MapWindowPoints (in: hWndFrom=0x6002e, hWndTo=0x0, lpPoints=0x19ed80, cPoints=0x2 | out: lpPoints=0x19ed80) returned 14615087 [0080.102] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x40) returned 0x5c0000 [0080.105] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x5caa8b*=0x7ffcea381000, NumberOfBytesToProtect=0x5caa83, NewAccessProtection=0x40, OldAccessProtection=0x5caa7b | out: BaseAddress=0x5caa8b*=0x7ffcea381000, NumberOfBytesToProtect=0x5caa83, OldAccessProtection=0x5caa7b*=0x20) returned 0x0 [0080.254] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0080.254] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x10000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x10000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x10000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x11000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x11000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xf000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x12000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x12000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x13000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x13000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xd000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x14000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x14000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xc000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x15000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x15000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xb000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x16000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x16000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0xa000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.255] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x17000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x17000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x9000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x18000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x18000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x8000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x19000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x19000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x7000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1a000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1b000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1c000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1d000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1e000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.256] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x1f000, AllocationBase=0x10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x20000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x20000, AllocationBase=0x20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x21000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x21000, AllocationBase=0x20000, AllocationProtect=0x4, RegionSize=0x3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x22000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x22000, AllocationBase=0x20000, AllocationProtect=0x4, RegionSize=0x2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x23000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x23000, AllocationBase=0x20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x24000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x24000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x25000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x25000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x26000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x26000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x27000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x27000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x28000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x28000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x29000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x29000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x2f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x30000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x31000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x31000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x32000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x32000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x33000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x33000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x34000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x34000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x35000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x35000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x36000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x36000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x37000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x37000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x38000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x38000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x39000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x39000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.257] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x3f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x40000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x40000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x18000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x41000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x41000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x17000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x42000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x42000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x16000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x43000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x43000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x15000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x44000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x44000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x14000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x45000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x45000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x13000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x46000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x46000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x12000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x47000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x47000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x11000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x48000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x48000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x10000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x49000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x49000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xf000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4a000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xe000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4b000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xd000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4c000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xc000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4d000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xb000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4e000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0xa000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x4f000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x9000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x50000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x50000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x8000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.258] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x51000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x51000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x52000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x52000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x6000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x53000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x53000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x5000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x54000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x54000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x55000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x55000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x3000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x56000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x56000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x57000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x57000, AllocationBase=0x40000, AllocationProtect=0x2, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x40000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x58000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x58000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x59000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x59000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x5f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x60000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x60000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x35000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x61000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x61000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x34000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x62000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x62000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x33000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x63000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x63000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x32000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x64000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x64000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x31000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x65000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x65000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x30000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x66000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x66000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2f000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x67000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x67000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2e000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x68000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x68000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2d000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x69000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x69000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2c000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6a000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2b000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.259] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6b000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2a000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6c000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x29000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6d000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x28000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6e000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x27000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x6f000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x26000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x70000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x70000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x25000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x71000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x71000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x24000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x72000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x72000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x23000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x73000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x22000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x74000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x74000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x21000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x75000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x75000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x20000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x76000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x76000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1f000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x77000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x77000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1e000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x78000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x78000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1d000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x79000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x79000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1c000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7a000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1b000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7b000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1a000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7c000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x19000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7d000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x18000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7e000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x17000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x7f000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x16000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x80000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x15000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x81000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x81000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x14000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x82000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x82000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x13000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x83000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x83000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x12000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x84000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x84000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x11000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x85000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x85000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x10000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x86000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x86000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xf000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x87000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x87000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xe000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x88000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x88000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xd000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.260] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x89000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x89000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xc000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8a000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8b000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0xa000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8c000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8d000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8e000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x8f000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x90000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x90000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x91000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x91000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x92000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x92000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x93000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x93000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x94000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x94000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x95000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x95000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x96000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x96000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x97000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x97000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x98000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x98000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x8000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x99000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x99000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x7000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9a000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9b000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9c000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9d000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9e000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x9f000, AllocationBase=0x60000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.261] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfa000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xa9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xaa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xaa000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xab000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xab000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xf0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xac000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xac000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xef000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xad000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xad000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xee000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xae000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xae000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xed000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xaf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xaf000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xec000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xeb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xea000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xb9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.262] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xba000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xba000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xbb000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xe0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xbc000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xdf000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xbd000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xde000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbe000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xbe000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xdd000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xbf000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xdc000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xdb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xda000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xc9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xca000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xca000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xcb000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xd0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.263] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xcc000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xcf000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xcd000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xce000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xce000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xce000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xcd000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xcf000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xcc000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xcb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xca000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xd9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xda000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xda000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xdb000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xc0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xdc000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xbf000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xdd000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xbe000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xde000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xde000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xbd000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xdf000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xbc000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.267] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xbb000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xba000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xe9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xea000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xea000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xeb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xeb000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xb0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xec000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xec000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xaf000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.268] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xed000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xed000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xae000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xee000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xee000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xad000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xef000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xef000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xac000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xab000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xaa000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf2000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa9000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa8000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf4000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa7000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf5000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa6000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf6000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa5000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf7000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa4000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf8000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa3000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xf9000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa2000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xfa000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa1000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xfb000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xa0000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xfc000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9f000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xfd000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9e000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfe000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xfe000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9d000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xff000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0xff000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9c000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x100000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x100000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9b000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x101000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x101000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x9a000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x102000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x102000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x99000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x103000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x103000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x98000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x104000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x104000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x97000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x105000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x105000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x96000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.269] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x106000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x106000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x95000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.270] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x107000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x107000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x94000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0080.270] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x108000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f2c4, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f2c4*(BaseAddress=0x108000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x93000, State=0x2000, Protect=0x0, Type=0x20000), ResultLength=0x0) returned 0x0 [0102.751] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0102.752] LoadLibraryA (lpLibFileName="user32") returned 0x750c0000 [0102.752] EnumWindows (lpEnumFunc=0x5c09fb, lParam=0x19f3e0) returned 1 [0102.759] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0102.759] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0102.760] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0102.760] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0102.763] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f3c8*=0x77971000, NumberOfBytesToProtect=0x19f3cc, NewAccessProtection=0x40, OldAccessProtection=0x19f3d0 | out: BaseAddress=0x19f3c8*=0x77971000, NumberOfBytesToProtect=0x19f3cc, OldAccessProtection=0x19f3d0*=0x20) returned 0x0 [0102.893] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f3c8*=0x77971000, NumberOfBytesToProtect=0x19f3cc, NewAccessProtection=0x20, OldAccessProtection=0x19f3d0 | out: BaseAddress=0x19f3c8*=0x77971000, NumberOfBytesToProtect=0x19f3cc, OldAccessProtection=0x19f3d0*=0x80) returned 0x0 [0103.102] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.111] NtSetInformationThread (ThreadHandle=0xfffffffe, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0103.152] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.152] CreateFileA (lpFileName="C:\\ProgramData\\qemu-ga\\qga.state" (normalized: "c:\\programdata\\qemu-ga\\qga.state"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0103.154] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.161] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f44c*=0x0, ZeroBits=0x0, RegionSize=0x19f448*=0x1c200000, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x19f44c*=0x2f70000, RegionSize=0x19f448*=0x1c200000) returned 0x0 [0103.181] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.181] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.181] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.181] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.181] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.182] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.182] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.182] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.182] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0103.183] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.183] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.183] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.183] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.183] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.184] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.184] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.184] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.184] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.184] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.185] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0103.185] LoadLibraryA (lpLibFileName="shell32") returned 0x75760000 [0112.759] LoadLibraryA (lpLibFileName="shell32") returned 0x75760000 [0112.760] LoadLibraryA (lpLibFileName="advapi32") returned 0x756e0000 [0112.760] LoadLibraryA (lpLibFileName="advapi32") returned 0x756e0000 [0112.767] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0112.767] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\WINDOWS\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", lpCommandLine="\"C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe\" ", lpProcessAttributes=0x2f70000, lpThreadAttributes=0x2f70000, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2f70400*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2f70800, hNewToken=0x0 | out: lpProcessInformation=0x2f70800*(hProcess=0x260, hThread=0x25c, dwProcessId=0x4b4, dwThreadId=0x384), hNewToken=0x0) returned 1 [0112.933] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0112.938] NtOpenFile (in: FileHandle=0x19f4f0, DesiredAccess=0x1, ObjectAttributes=0x2f71420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\WINDOWS\\syswow64\\msvbvm60.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2f71400, ShareAccess=0x1, OpenOptions=0x0 | out: FileHandle=0x19f4f0*=0x268, IoStatusBlock=0x2f71400*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0112.944] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.223] NtCreateSection (in: SectionHandle=0x19f4ec, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x1000000, FileHandle=0x268 | out: SectionHandle=0x19f4ec*=0x264) returned 0x0 [0113.234] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.242] NtMapViewOfSection (in: SectionHandle=0x264, ProcessHandle=0x260, BaseAddress=0x19f4e8*=0x400000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19f4e4*=0x0, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x19f4e8*=0x400000, SectionOffset=0x0, ViewSize=0x19f4e4*=0x153000) returned 0x40000003 [0113.250] NtAllocateVirtualMemory (in: ProcessHandle=0x260, BaseAddress=0x19f4e8*=0x0, ZeroBits=0x0, RegionSize=0x19f4e4*=0x100000, AllocationType=0x1000, Protect=0x40 | out: BaseAddress=0x19f4e8*=0x970000, RegionSize=0x19f4e4*=0x100000) returned 0x0 [0113.340] NtWriteVirtualMemory (in: ProcessHandle=0x260, BaseAddress=0x970000, Buffer=0x5c0000*, NumberOfBytesToWrite=0xd000, NumberOfBytesWritten=0x19f4e4 | out: Buffer=0x5c0000*, NumberOfBytesWritten=0x19f4e4*=0xd000) returned 0x0 [0113.375] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.381] NtGetContextThread (in: ThreadHandle=0x25c, Context=0x2f74100 | out: Context=0x2f74100*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x6a7000, Edx=0x0, Ecx=0x0, Eax=0x59ce5e, Ebp=0x0, Eip=0x779e4210, SegCs=0x23, EFlags=0x202, Esp=0x93fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.440] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.447] NtSetContextThread (ThreadHandle=0x25c, Context=0x2f74100*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x6a7000, Edx=0x0, Ecx=0x0, Eax=0x59ce5e, Ebp=0x0, Eip=0x970000, SegCs=0x23, EFlags=0x202, Esp=0x93fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.465] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.517] NtResumeThread (in: ThreadHandle=0x25c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0113.557] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.558] WaitForSingleObject (hHandle=0x25c, dwMilliseconds=0xffff) returned 0x0 [0137.898] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x2f75004 | out: Context=0x2f75004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0137.898] TerminateProcess (hProcess=0xffffffff, uExitCode=0x0) Thread: id = 2 os_tid = 0x1108 Process: id = "2" image_name = "regasm.exe" filename = "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\regasm.exe" page_root = "0x55a35000" os_pid = "0x4b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x111c" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\BUDDINGPULVERS.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x384 [0120.231] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x97aa8b*=0x7ffcea381000, NumberOfBytesToProtect=0x97aa83, NewAccessProtection=0x40, OldAccessProtection=0x97aa7b | out: BaseAddress=0x97aa8b*=0x7ffcea381000, NumberOfBytesToProtect=0x97aa83, OldAccessProtection=0x97aa7b*=0x20) returned 0x0 [0120.346] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x10000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x10000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3f0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x11000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x11000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ef000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x12000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x12000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ee000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x13000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x13000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ed000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x14000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x14000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ec000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x15000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x15000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3eb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x16000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x16000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ea000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x17000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x17000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x18000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x18000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x19000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x19000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.357] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x1f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x1f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x20000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x20000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3e0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x21000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x21000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3df000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x22000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x22000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3de000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x23000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x23000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3dd000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x24000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x24000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3dc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x25000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x25000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3db000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x26000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x26000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3da000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x27000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x27000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x28000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x28000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x29000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x29000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x2f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x2f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x30000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x30000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3d0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x31000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x31000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3cf000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x32000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x32000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ce000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x33000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x33000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3cd000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x34000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x34000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3cc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x35000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x35000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3cb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x36000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x36000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ca000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x37000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x37000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x38000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x38000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x39000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x39000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x3f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x3f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x40000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x40000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3c0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x41000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x41000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3bf000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x42000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x42000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3be000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x43000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x43000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3bd000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x44000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x44000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3bc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x45000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x45000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3bb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x46000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x46000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ba000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x47000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x47000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x48000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x48000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x49000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x49000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x4f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x4f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.359] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x50000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x50000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3b0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x51000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x51000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3af000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x52000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x52000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ae000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x53000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x53000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ad000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x54000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x54000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ac000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x55000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x55000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3ab000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x56000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x56000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3aa000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x57000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x57000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x58000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x58000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x59000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x59000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a7000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a6000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a5000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a4000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a3000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a2000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x5f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x5f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a1000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x60000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x60000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x3a0000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x61000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x61000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x62000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x62000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x63000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x63000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x64000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x64000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x65000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x65000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x66000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x66000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x39a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x67000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x67000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x399000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x68000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x68000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x398000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x69000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x69000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x397000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.360] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x396000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x395000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x394000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x393000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x392000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x6f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x391000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x70000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x70000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x390000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x71000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x71000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x72000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x72000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x73000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x74000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x74000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x75000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x75000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x76000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x76000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x38a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x77000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x77000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x389000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x78000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x78000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x388000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x79000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x79000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x387000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x386000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x385000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x384000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x383000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x382000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x7f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x7f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x381000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x80000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x380000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x81000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x81000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x82000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x82000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.361] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x83000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x83000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x84000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x84000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x85000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x85000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x86000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x86000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x37a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x87000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x87000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x379000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x88000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x88000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x378000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x89000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x89000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x377000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x376000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x375000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x374000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x373000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x372000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x8f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x8f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x371000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x90000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x90000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x370000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x91000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x91000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x92000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x92000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x93000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x93000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x94000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x94000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x95000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x95000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x96000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x96000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x36a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x97000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x97000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x369000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x98000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x98000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x368000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x99000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x99000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x367000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x366000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9b000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x365000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.362] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9c000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x364000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9d000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x363000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9e000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x362000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x9f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x9f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x361000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x360000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x35a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x359000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x358000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xa9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xa9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x357000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xaa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xaa000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x356000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xab000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xab000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x355000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xac000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xac000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x354000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xad000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xad000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x353000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xae000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xae000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x352000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xaf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xaf000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x351000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x350000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.363] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x34a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x349000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x348000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xb9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xb9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x347000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xba000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xba000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x346000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xbb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x345000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xbc000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x344000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xbd000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x343000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbe000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xbe000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x342000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xbf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xbf000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x341000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x340000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x33a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x339000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x338000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xc9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xc9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x337000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xca000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xca000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x336000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xcb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x335000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xcc000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x334000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xcd000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x333000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.364] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xce000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xce000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x332000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xcf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xcf000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x331000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x330000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x32a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x329000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x328000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xd9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xd9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x327000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xda000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xda000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x326000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xdb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x325000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xdc000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x324000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xdd000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x323000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xde000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xde000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x322000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xdf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xdf000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x321000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x320000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x31a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.365] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x319000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x318000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xe9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xe9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x317000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xea000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xea000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x316000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xeb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xeb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x315000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xec000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xec000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x314000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xed000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xed000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x313000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xee000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xee000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x312000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xef000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xef000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x311000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x310000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf1000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30f000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf2000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30e000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf3000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30d000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf4000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30c000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf5000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30b000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf6000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf6000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30a000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf7000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf7000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x309000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf8000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x308000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xf9000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xf9000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x307000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xfa000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x306000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xfb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x305000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xfc000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x304000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xfd000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x303000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xfe000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xfe000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x302000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0xff000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0xff000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x301000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.366] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x100000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x100000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x300000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x101000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x101000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2ff000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x102000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x102000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2fe000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x103000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x103000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2fd000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x104000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x104000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2fc000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x105000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x105000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2fb000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x106000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x106000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2fa000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x107000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x107000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2f9000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0120.367] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x108000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x93fccc, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x93fccc*(BaseAddress=0x108000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x2f8000, State=0x10000, Protect=0x1, Type=0x0), ResultLength=0x0) returned 0x0 [0129.109] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.109] LoadLibraryA (lpLibFileName="user32") returned 0x750c0000 [0129.109] EnumWindows (lpEnumFunc=0x9709fb, lParam=0x93fde8) returned 1 [0129.113] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.113] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.119] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.119] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.119] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fdd0*=0x77971000, NumberOfBytesToProtect=0x93fdd4, NewAccessProtection=0x40, OldAccessProtection=0x93fdd8 | out: BaseAddress=0x93fdd0*=0x77971000, NumberOfBytesToProtect=0x93fdd4, OldAccessProtection=0x93fdd8*=0x20) returned 0x0 [0129.149] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fdd0*=0x77971000, NumberOfBytesToProtect=0x93fdd4, NewAccessProtection=0x20, OldAccessProtection=0x93fdd8 | out: BaseAddress=0x93fdd0*=0x77971000, NumberOfBytesToProtect=0x93fdd4, OldAccessProtection=0x93fdd8*=0x80) returned 0x0 [0129.306] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.312] NtSetInformationThread (ThreadHandle=0xfffffffe, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0129.313] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.313] CreateFileA (lpFileName="C:\\ProgramData\\qemu-ga\\qga.state" (normalized: "c:\\programdata\\qemu-ga\\qga.state"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0129.314] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.319] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fe54*=0x0, ZeroBits=0x0, RegionSize=0x93fe50*=0x1c200000, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x93fe54*=0x26b0000, RegionSize=0x93fe50*=0x1c200000) returned 0x0 [0129.335] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.335] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.335] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="ntdll") returned 0x77970000 [0129.336] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.336] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.337] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.338] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.338] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.338] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0129.338] LoadLibraryA (lpLibFileName="shell32") returned 0x75760000 [0129.338] LoadLibraryA (lpLibFileName="shell32") returned 0x75760000 [0129.338] LoadLibraryA (lpLibFileName="advapi32") returned 0x756e0000 [0129.338] LoadLibraryA (lpLibFileName="advapi32") returned 0x756e0000 [0129.343] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x73bd0000 [0130.627] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x73bd0000 [0130.628] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x73bd0000 [0130.628] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x73bd0000 [0130.628] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x73bd0000 [0130.629] InternetOpenA (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0133.262] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26b5004 | out: Context=0x26b5004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0133.262] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x93feec, dwBufferLength=0x4) returned 1 [0133.274] InternetOpenUrlA (hInternet=0xcc0004, lpszUrl="https://drive.google.com/uc?export=download&id=1QWqkgFZkOmBDvR4uR2YwoOXuLiVcEUxl", lpszHeaders=0x0, dwHeadersLength=0x0, dwFlags=0x84000100, dwContext=0x0) returned 0xcc000c [0135.357] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26b5004 | out: Context=0x26b5004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.359] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x26c0000, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x93fedc | out: lpBuffer=0x26c0000*, lpdwNumberOfBytesRead=0x93fedc*=0xf240) returned 1 [0135.396] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26b5004 | out: Context=0x26b5004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.396] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x26cf240, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x93fedc | out: lpBuffer=0x26cf240*, lpdwNumberOfBytesRead=0x93fedc*=0x0) returned 1 [0135.406] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26b5004 | out: Context=0x26b5004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.406] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0135.416] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26b5004 | out: Context=0x26b5004*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.482] InternetCloseHandle (hInternet=0xcc000c) returned 0 [0135.525] LoadLibraryA (lpLibFileName="kernel32") returned 0x772d0000 [0135.544] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x7e, [3]=0x51, [4]=0x0, [5]=0x0, [6]=0x4, [7]=0x20, [8]=0x99, [9]=0x38, [10]=0x0, [11]=0x0, [12]=0x28, [13]=0x52, [14]=0x0, [15]=0x0, [16]=0x6, [17]=0x13, [18]=0x4, [19]=0x73, [20]=0xd6, [21]=0x0, [22]=0x0, [23]=0xa, [24]=0x13, [25]=0x5, [26]=0x11, [27]=0x5, [28]=0x5, [29]=0x6f, [30]=0x6d, [31]=0x0, [32]=0x0, [33]=0xa, [34]=0x13, [35]=0x6, [36]=0x8, [37]=0x11, [38]=0x6, [39]=0x8e, [40]=0x69, [41]=0x6a, [42]=0x6f, [43]=0xd7, [44]=0x0, [45]=0x0, [46]=0xa, [47]=0x0, [48]=0x7e, [49]=0x51, [50]=0x0, [51]=0x0, [52]=0x4, [53]=0x20, [54]=0x77, [55]=0x39, [56]=0x0, [57]=0x0, [58]=0x28, [59]=0x52, [60]=0x0, [61]=0x0, [62]=0x6, [63]=0x13, [64]=0x7, [65]=0x7e, [66]=0x51, [67]=0x0, [68]=0x0, [69]=0x4, [70]=0x20, [71]=0x91, [72]=0x3a, [73]=0x0, [74]=0x0, [75]=0x28, [76]=0x52, [77]=0x0, [78]=0x0, [79]=0x6, [80]=0x13, [81]=0x8, [82]=0x8, [83]=0x6f, [84]=0xd8, [85]=0x0, [86]=0x0, [87]=0xa, [88]=0x13, [89]=0x9, [90]=0x0, [91]=0x11, [92]=0x9, [93]=0x11, [94]=0x6, [95]=0x16, [96]=0x11, [97]=0x6, [98]=0x8e, [99]=0x69, [100]=0x6f, [101]=0xd9, [102]=0x0, [103]=0x0, [104]=0xa, [105]=0x0, [106]=0x0, [107]=0xde, [108]=0x14, [109]=0x11, [110]=0x9, [111]=0x14, [112]=0xfe, [113]=0x1, [114]=0x13, [115]=0xd, [116]=0x11, [117]=0xd, [118]=0x2d, [119]=0x8, [120]=0x11, [121]=0x9, [122]=0x6f, [123]=0x20, [124]=0x0, [125]=0x0, [126]=0xa, [127]=0x0, [128]=0xdc, [129]=0x0, [130]=0x7e, [131]=0x51, [132]=0x0, [133]=0x0, [134]=0x4, [135]=0x20, [136]=0x87, [137]=0x3b, [138]=0x0, [139]=0x0, [140]=0x28, [141]=0x52, [142]=0x0, [143]=0x0, [144]=0x6, [145]=0x13, [146]=0xa, [147]=0x8, [148]=0x6f, [149]=0xda, [150]=0x0, [151]=0x0, [152]=0xa, [153]=0x74, [154]=0x81, [155]=0x0, [156]=0x0, [157]=0x1, [158]=0x13, [159]=0xb, [160]=0x0, [161]=0x0, [162]=0xde, [163]=0x14, [164]=0x11, [165]=0xb, [166]=0x14, [167]=0xfe, [168]=0x1, [169]=0x13, [170]=0xd, [171]=0x11, [172]=0xd, [173]=0x2d, [174]=0x8, [175]=0x11, [176]=0xb, [177]=0x6f, [178]=0x20, [179]=0x0, [180]=0x0, [181]=0xa, [182]=0x0, [183]=0xdc, [184]=0x0, [185]=0x0, [186]=0xde, [187]=0x5, [188]=0x26, [189]=0x0, [190]=0x0, [191]=0xde, [192]=0x0, [193]=0x0, [194]=0x2a, [195]=0x0, [196]=0x41, [197]=0x4c, [198]=0x0, [199]=0x0, [200]=0x2, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x26, [205]=0x1, [206]=0x0, [207]=0x0, [208]=0x13, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x39, [213]=0x1, [214]=0x0, [215]=0x0, [216]=0x14, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x2, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x6c, [229]=0x1, [230]=0x0, [231]=0x0, [232]=0x4, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x70, [237]=0x1, [238]=0x0, [239]=0x0, [240]=0x14, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x1, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x87, [257]=0x1, [258]=0x0, [259]=0x0, [260]=0x88, [261]=0x1, [262]=0x0, [263]=0x0, [264]=0x5, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x1, [269]=0x0, [270]=0x0, [271]=0x1, [272]=0x1b, [273]=0x30, [274]=0x6, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x21, [281]=0x0, [282]=0x0, [283]=0x11, [284]=0x0, [285]=0x0, [286]=0x73, [287]=0x25, [288]=0x0, [289]=0x0, [290]=0xa, [291]=0xa, [292]=0x0, [293]=0x6, [294]=0x3, [295]=0x4, [296]=0x73, [297]=0xd4, [298]=0x0, [299]=0x0, [300]=0xa, [301]=0x6f, [302]=0xdb, [303]=0x0, [304]=0x0, [305]=0xa, [306]=0x0, [307]=0x6, [308]=0x2, [309]=0x1c, [310]=0x8d, [311]=0x1b, [312]=0x0, [313]=0x0, [314]=0x1, [315]=0xb, [316]=0x7, [317]=0x16, [318]=0x7e, [319]=0x51, [320]=0x0, [321]=0x0, [322]=0x4, [323]=0x20, [324]=0xd6, [325]=0x36, [326]=0x0, [327]=0x0, [328]=0x28, [329]=0x52, [330]=0x0, [331]=0x0, [332]=0x6, [333]=0xa2, [334]=0x7, [335]=0x17, [336]=0x28, [337]=0xd0, [338]=0x0, [339]=0x0, [340]=0xa, [341]=0xa2, [342]=0x7, [343]=0x18, [344]=0x7e, [345]=0x51, [346]=0x0, [347]=0x0, [348]=0x4, [349]=0x20, [350]=0xe3, [351]=0x36, [352]=0x0, [353]=0x0, [354]=0x28, [355]=0x52, [356]=0x0, [357]=0x0, [358]=0x6, [359]=0xa2, [360]=0x7, [361]=0x19, [362]=0x28, [363]=0xd1, [364]=0x0, [365]=0x0, [366]=0xa, [367]=0xa2, [368]=0x7, [369]=0x1a, [370]=0x7e, [371]=0x51, [372]=0x0, [373]=0x0, [374]=0x4, [375]=0x20, [376]=0xf8, [377]=0x36, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0x52, [382]=0x0, [383]=0x0, [384]=0x6, [385]=0xa2, [386]=0x7, [387]=0x1b, [388]=0x5, [389]=0x28, [390]=0xe, [391]=0x0, [392]=0x0, [393]=0xa, [394]=0xa2, [395]=0x7, [396]=0x28, [397]=0x2a, [398]=0x0, [399]=0x0, [400]=0xa, [401]=0x16, [402]=0x8d, [403]=0x1, [404]=0x0, [405]=0x0, [406]=0x1, [407]=0x28, [408]=0xdc, [409]=0x0, [410]=0x0, [411]=0xa, [412]=0x28, [413]=0xd, [414]=0x0, [415]=0x0, [416]=0xa, [417]=0x7e, [418]=0x51, [419]=0x0, [420]=0x0, [421]=0x4, [422]=0x20, [423]=0x90, [424]=0x38, [425]=0x0, [426]=0x0, [427]=0x28, [428]=0x52, [429]=0x0, [430]=0x0, [431]=0x6, [432]=0x5, [433]=0x6f, [434]=0xdd, [435]=0x0, [436]=0x0, [437]=0xa, [438]=0x26, [439]=0x0, [440]=0xde, [441]=0x10, [442]=0x6, [443]=0x14, [444]=0xfe, [445]=0x1, [446]=0xc, [447]=0x8, [448]=0x2d, [449]=0x7, [450]=0x6, [451]=0x6f, [452]=0x20, [453]=0x0, [454]=0x0, [455]=0xa, [456]=0x0, [457]=0xdc, [458]=0x0, [459]=0x0, [460]=0xde, [461]=0x5, [462]=0x26, [463]=0x0, [464]=0x0, [465]=0xde, [466]=0x0, [467]=0x0, [468]=0x2a, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x1c, [474]=0x0, [475]=0x0, [476]=0x2, [477]=0x0, [478]=0x8, [479]=0x0, [480]=0x96, [481]=0x9e, [482]=0x0, [483]=0x10, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x1, [491]=0x0, [492]=0xb1, [493]=0xb2, [494]=0x0, [495]=0x5, [496]=0x1, [497]=0x0, [498]=0x0, [499]=0x1, [500]=0x1e, [501]=0x2, [502]=0x28, [503]=0x8c, [504]=0x0, [505]=0x0, [506]=0xa, [507]=0x2a, [508]=0x42, [509]=0xd0, [510]=0xd, [511]=0x0))) returned 0x0 [0135.554] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x26b0800*=0x400000, NumberOfBytesToProtect=0x26b0808, NewAccessProtection=0x4, OldAccessProtection=0x93fe88 | out: BaseAddress=0x26b0800*=0x400000, NumberOfBytesToProtect=0x26b0808, OldAccessProtection=0x93fe88*=0x2) returned 0x0 [0135.626] LoadLibraryA (lpLibFileName="mscoree.dll") returned 0x741e0000 [0135.627] GetProcAddress (hModule=0x741e0000, lpProcName="_CorExeMain") returned 0x741f4dc0 [0135.661] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x7e, [3]=0x51, [4]=0x0, [5]=0x0, [6]=0x4, [7]=0x20, [8]=0x99, [9]=0x38, [10]=0x0, [11]=0x0, [12]=0x28, [13]=0x52, [14]=0x0, [15]=0x0, [16]=0x6, [17]=0x13, [18]=0x4, [19]=0x73, [20]=0xd6, [21]=0x0, [22]=0x0, [23]=0xa, [24]=0x13, [25]=0x5, [26]=0x11, [27]=0x5, [28]=0x5, [29]=0x6f, [30]=0x6d, [31]=0x0, [32]=0x0, [33]=0xa, [34]=0x13, [35]=0x6, [36]=0x8, [37]=0x11, [38]=0x6, [39]=0x8e, [40]=0x69, [41]=0x6a, [42]=0x6f, [43]=0xd7, [44]=0x0, [45]=0x0, [46]=0xa, [47]=0x0, [48]=0x7e, [49]=0x51, [50]=0x0, [51]=0x0, [52]=0x4, [53]=0x20, [54]=0x77, [55]=0x39, [56]=0x0, [57]=0x0, [58]=0x28, [59]=0x52, [60]=0x0, [61]=0x0, [62]=0x6, [63]=0x13, [64]=0x7, [65]=0x7e, [66]=0x51, [67]=0x0, [68]=0x0, [69]=0x4, [70]=0x20, [71]=0x91, [72]=0x3a, [73]=0x0, [74]=0x0, [75]=0x28, [76]=0x52, [77]=0x0, [78]=0x0, [79]=0x6, [80]=0x13, [81]=0x8, [82]=0x8, [83]=0x6f, [84]=0xd8, [85]=0x0, [86]=0x0, [87]=0xa, [88]=0x13, [89]=0x9, [90]=0x0, [91]=0x11, [92]=0x9, [93]=0x11, [94]=0x6, [95]=0x16, [96]=0x11, [97]=0x6, [98]=0x8e, [99]=0x69, [100]=0x6f, [101]=0xd9, [102]=0x0, [103]=0x0, [104]=0xa, [105]=0x0, [106]=0x0, [107]=0xde, [108]=0x14, [109]=0x11, [110]=0x9, [111]=0x14, [112]=0xfe, [113]=0x1, [114]=0x13, [115]=0xd, [116]=0x11, [117]=0xd, [118]=0x2d, [119]=0x8, [120]=0x11, [121]=0x9, [122]=0x6f, [123]=0x20, [124]=0x0, [125]=0x0, [126]=0xa, [127]=0x0, [128]=0xdc, [129]=0x0, [130]=0x7e, [131]=0x51, [132]=0x0, [133]=0x0, [134]=0x4, [135]=0x20, [136]=0x87, [137]=0x3b, [138]=0x0, [139]=0x0, [140]=0x28, [141]=0x52, [142]=0x0, [143]=0x0, [144]=0x6, [145]=0x13, [146]=0xa, [147]=0x8, [148]=0x6f, [149]=0xda, [150]=0x0, [151]=0x0, [152]=0xa, [153]=0x74, [154]=0x81, [155]=0x0, [156]=0x0, [157]=0x1, [158]=0x13, [159]=0xb, [160]=0x0, [161]=0x0, [162]=0xde, [163]=0x14, [164]=0x11, [165]=0xb, [166]=0x14, [167]=0xfe, [168]=0x1, [169]=0x13, [170]=0xd, [171]=0x11, [172]=0xd, [173]=0x2d, [174]=0x8, [175]=0x11, [176]=0xb, [177]=0x6f, [178]=0x20, [179]=0x0, [180]=0x0, [181]=0xa, [182]=0x0, [183]=0xdc, [184]=0x0, [185]=0x0, [186]=0xde, [187]=0x5, [188]=0x26, [189]=0x0, [190]=0x0, [191]=0xde, [192]=0x0, [193]=0x0, [194]=0x2a, [195]=0x0, [196]=0x41, [197]=0x4c, [198]=0x0, [199]=0x0, [200]=0x2, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x26, [205]=0x1, [206]=0x0, [207]=0x0, [208]=0x13, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x39, [213]=0x1, [214]=0x0, [215]=0x0, [216]=0x14, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x2, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x6c, [229]=0x1, [230]=0x0, [231]=0x0, [232]=0x4, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x70, [237]=0x1, [238]=0x0, [239]=0x0, [240]=0x14, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x1, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x87, [257]=0x1, [258]=0x0, [259]=0x0, [260]=0x88, [261]=0x1, [262]=0x0, [263]=0x0, [264]=0x5, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x1, [269]=0x0, [270]=0x0, [271]=0x1, [272]=0x1b, [273]=0x30, [274]=0x6, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x21, [281]=0x0, [282]=0x0, [283]=0x11, [284]=0x0, [285]=0x0, [286]=0x73, [287]=0x25, [288]=0x0, [289]=0x0, [290]=0xa, [291]=0xa, [292]=0x0, [293]=0x6, [294]=0x3, [295]=0x4, [296]=0x73, [297]=0xd4, [298]=0x0, [299]=0x0, [300]=0xa, [301]=0x6f, [302]=0xdb, [303]=0x0, [304]=0x0, [305]=0xa, [306]=0x0, [307]=0x6, [308]=0x2, [309]=0x1c, [310]=0x8d, [311]=0x1b, [312]=0x0, [313]=0x0, [314]=0x1, [315]=0xb, [316]=0x7, [317]=0x16, [318]=0x7e, [319]=0x51, [320]=0x0, [321]=0x0, [322]=0x4, [323]=0x20, [324]=0xd6, [325]=0x36, [326]=0x0, [327]=0x0, [328]=0x28, [329]=0x52, [330]=0x0, [331]=0x0, [332]=0x6, [333]=0xa2, [334]=0x7, [335]=0x17, [336]=0x28, [337]=0xd0, [338]=0x0, [339]=0x0, [340]=0xa, [341]=0xa2, [342]=0x7, [343]=0x18, [344]=0x7e, [345]=0x51, [346]=0x0, [347]=0x0, [348]=0x4, [349]=0x20, [350]=0xe3, [351]=0x36, [352]=0x0, [353]=0x0, [354]=0x28, [355]=0x52, [356]=0x0, [357]=0x0, [358]=0x6, [359]=0xa2, [360]=0x7, [361]=0x19, [362]=0x28, [363]=0xd1, [364]=0x0, [365]=0x0, [366]=0xa, [367]=0xa2, [368]=0x7, [369]=0x1a, [370]=0x7e, [371]=0x51, [372]=0x0, [373]=0x0, [374]=0x4, [375]=0x20, [376]=0xf8, [377]=0x36, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0x52, [382]=0x0, [383]=0x0, [384]=0x6, [385]=0xa2, [386]=0x7, [387]=0x1b, [388]=0x5, [389]=0x28, [390]=0xe, [391]=0x0, [392]=0x0, [393]=0xa, [394]=0xa2, [395]=0x7, [396]=0x28, [397]=0x2a, [398]=0x0, [399]=0x0, [400]=0xa, [401]=0x16, [402]=0x8d, [403]=0x1, [404]=0x0, [405]=0x0, [406]=0x1, [407]=0x28, [408]=0xdc, [409]=0x0, [410]=0x0, [411]=0xa, [412]=0x28, [413]=0xd, [414]=0x0, [415]=0x0, [416]=0xa, [417]=0x7e, [418]=0x51, [419]=0x0, [420]=0x0, [421]=0x4, [422]=0x20, [423]=0x90, [424]=0x38, [425]=0x0, [426]=0x0, [427]=0x28, [428]=0x52, [429]=0x0, [430]=0x0, [431]=0x6, [432]=0x5, [433]=0x6f, [434]=0xdd, [435]=0x0, [436]=0x0, [437]=0xa, [438]=0x26, [439]=0x0, [440]=0xde, [441]=0x10, [442]=0x6, [443]=0x14, [444]=0xfe, [445]=0x1, [446]=0xc, [447]=0x8, [448]=0x2d, [449]=0x7, [450]=0x6, [451]=0x6f, [452]=0x20, [453]=0x0, [454]=0x0, [455]=0xa, [456]=0x0, [457]=0xdc, [458]=0x0, [459]=0x0, [460]=0xde, [461]=0x5, [462]=0x26, [463]=0x0, [464]=0x0, [465]=0xde, [466]=0x0, [467]=0x0, [468]=0x2a, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x1c, [474]=0x0, [475]=0x0, [476]=0x2, [477]=0x0, [478]=0x8, [479]=0x0, [480]=0x96, [481]=0x9e, [482]=0x0, [483]=0x10, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x1, [491]=0x0, [492]=0xb1, [493]=0xb2, [494]=0x0, [495]=0x5, [496]=0x1, [497]=0x0, [498]=0x0, [499]=0x1, [500]=0x1e, [501]=0x2, [502]=0x28, [503]=0x8c, [504]=0x0, [505]=0x0, [506]=0xa, [507]=0x2a, [508]=0x42, [509]=0xd0, [510]=0xd, [511]=0x0))) returned 0x0 [0135.671] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fee4*=0x402000, NumberOfBytesToProtect=0x26b1008, NewAccessProtection=0x20, OldAccessProtection=0x93fe88 | out: BaseAddress=0x93fee4*=0x402000, NumberOfBytesToProtect=0x26b1008, OldAccessProtection=0x93fe88*=0x4) returned 0x0 [0135.681] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x7e, [3]=0x51, [4]=0x0, [5]=0x0, [6]=0x4, [7]=0x20, [8]=0x99, [9]=0x38, [10]=0x0, [11]=0x0, [12]=0x28, [13]=0x52, [14]=0x0, [15]=0x0, [16]=0x6, [17]=0x13, [18]=0x4, [19]=0x73, [20]=0xd6, [21]=0x0, [22]=0x0, [23]=0xa, [24]=0x13, [25]=0x5, [26]=0x11, [27]=0x5, [28]=0x5, [29]=0x6f, [30]=0x6d, [31]=0x0, [32]=0x0, [33]=0xa, [34]=0x13, [35]=0x6, [36]=0x8, [37]=0x11, [38]=0x6, [39]=0x8e, [40]=0x69, [41]=0x6a, [42]=0x6f, [43]=0xd7, [44]=0x0, [45]=0x0, [46]=0xa, [47]=0x0, [48]=0x7e, [49]=0x51, [50]=0x0, [51]=0x0, [52]=0x4, [53]=0x20, [54]=0x77, [55]=0x39, [56]=0x0, [57]=0x0, [58]=0x28, [59]=0x52, [60]=0x0, [61]=0x0, [62]=0x6, [63]=0x13, [64]=0x7, [65]=0x7e, [66]=0x51, [67]=0x0, [68]=0x0, [69]=0x4, [70]=0x20, [71]=0x91, [72]=0x3a, [73]=0x0, [74]=0x0, [75]=0x28, [76]=0x52, [77]=0x0, [78]=0x0, [79]=0x6, [80]=0x13, [81]=0x8, [82]=0x8, [83]=0x6f, [84]=0xd8, [85]=0x0, [86]=0x0, [87]=0xa, [88]=0x13, [89]=0x9, [90]=0x0, [91]=0x11, [92]=0x9, [93]=0x11, [94]=0x6, [95]=0x16, [96]=0x11, [97]=0x6, [98]=0x8e, [99]=0x69, [100]=0x6f, [101]=0xd9, [102]=0x0, [103]=0x0, [104]=0xa, [105]=0x0, [106]=0x0, [107]=0xde, [108]=0x14, [109]=0x11, [110]=0x9, [111]=0x14, [112]=0xfe, [113]=0x1, [114]=0x13, [115]=0xd, [116]=0x11, [117]=0xd, [118]=0x2d, [119]=0x8, [120]=0x11, [121]=0x9, [122]=0x6f, [123]=0x20, [124]=0x0, [125]=0x0, [126]=0xa, [127]=0x0, [128]=0xdc, [129]=0x0, [130]=0x7e, [131]=0x51, [132]=0x0, [133]=0x0, [134]=0x4, [135]=0x20, [136]=0x87, [137]=0x3b, [138]=0x0, [139]=0x0, [140]=0x28, [141]=0x52, [142]=0x0, [143]=0x0, [144]=0x6, [145]=0x13, [146]=0xa, [147]=0x8, [148]=0x6f, [149]=0xda, [150]=0x0, [151]=0x0, [152]=0xa, [153]=0x74, [154]=0x81, [155]=0x0, [156]=0x0, [157]=0x1, [158]=0x13, [159]=0xb, [160]=0x0, [161]=0x0, [162]=0xde, [163]=0x14, [164]=0x11, [165]=0xb, [166]=0x14, [167]=0xfe, [168]=0x1, [169]=0x13, [170]=0xd, [171]=0x11, [172]=0xd, [173]=0x2d, [174]=0x8, [175]=0x11, [176]=0xb, [177]=0x6f, [178]=0x20, [179]=0x0, [180]=0x0, [181]=0xa, [182]=0x0, [183]=0xdc, [184]=0x0, [185]=0x0, [186]=0xde, [187]=0x5, [188]=0x26, [189]=0x0, [190]=0x0, [191]=0xde, [192]=0x0, [193]=0x0, [194]=0x2a, [195]=0x0, [196]=0x41, [197]=0x4c, [198]=0x0, [199]=0x0, [200]=0x2, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x26, [205]=0x1, [206]=0x0, [207]=0x0, [208]=0x13, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x39, [213]=0x1, [214]=0x0, [215]=0x0, [216]=0x14, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x2, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x6c, [229]=0x1, [230]=0x0, [231]=0x0, [232]=0x4, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x70, [237]=0x1, [238]=0x0, [239]=0x0, [240]=0x14, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x1, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x87, [257]=0x1, [258]=0x0, [259]=0x0, [260]=0x88, [261]=0x1, [262]=0x0, [263]=0x0, [264]=0x5, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x1, [269]=0x0, [270]=0x0, [271]=0x1, [272]=0x1b, [273]=0x30, [274]=0x6, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x21, [281]=0x0, [282]=0x0, [283]=0x11, [284]=0x0, [285]=0x0, [286]=0x73, [287]=0x25, [288]=0x0, [289]=0x0, [290]=0xa, [291]=0xa, [292]=0x0, [293]=0x6, [294]=0x3, [295]=0x4, [296]=0x73, [297]=0xd4, [298]=0x0, [299]=0x0, [300]=0xa, [301]=0x6f, [302]=0xdb, [303]=0x0, [304]=0x0, [305]=0xa, [306]=0x0, [307]=0x6, [308]=0x2, [309]=0x1c, [310]=0x8d, [311]=0x1b, [312]=0x0, [313]=0x0, [314]=0x1, [315]=0xb, [316]=0x7, [317]=0x16, [318]=0x7e, [319]=0x51, [320]=0x0, [321]=0x0, [322]=0x4, [323]=0x20, [324]=0xd6, [325]=0x36, [326]=0x0, [327]=0x0, [328]=0x28, [329]=0x52, [330]=0x0, [331]=0x0, [332]=0x6, [333]=0xa2, [334]=0x7, [335]=0x17, [336]=0x28, [337]=0xd0, [338]=0x0, [339]=0x0, [340]=0xa, [341]=0xa2, [342]=0x7, [343]=0x18, [344]=0x7e, [345]=0x51, [346]=0x0, [347]=0x0, [348]=0x4, [349]=0x20, [350]=0xe3, [351]=0x36, [352]=0x0, [353]=0x0, [354]=0x28, [355]=0x52, [356]=0x0, [357]=0x0, [358]=0x6, [359]=0xa2, [360]=0x7, [361]=0x19, [362]=0x28, [363]=0xd1, [364]=0x0, [365]=0x0, [366]=0xa, [367]=0xa2, [368]=0x7, [369]=0x1a, [370]=0x7e, [371]=0x51, [372]=0x0, [373]=0x0, [374]=0x4, [375]=0x20, [376]=0xf8, [377]=0x36, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0x52, [382]=0x0, [383]=0x0, [384]=0x6, [385]=0xa2, [386]=0x7, [387]=0x1b, [388]=0x5, [389]=0x28, [390]=0xe, [391]=0x0, [392]=0x0, [393]=0xa, [394]=0xa2, [395]=0x7, [396]=0x28, [397]=0x2a, [398]=0x0, [399]=0x0, [400]=0xa, [401]=0x16, [402]=0x8d, [403]=0x1, [404]=0x0, [405]=0x0, [406]=0x1, [407]=0x28, [408]=0xdc, [409]=0x0, [410]=0x0, [411]=0xa, [412]=0x28, [413]=0xd, [414]=0x0, [415]=0x0, [416]=0xa, [417]=0x7e, [418]=0x51, [419]=0x0, [420]=0x0, [421]=0x4, [422]=0x20, [423]=0x90, [424]=0x38, [425]=0x0, [426]=0x0, [427]=0x28, [428]=0x52, [429]=0x0, [430]=0x0, [431]=0x6, [432]=0x5, [433]=0x6f, [434]=0xdd, [435]=0x0, [436]=0x0, [437]=0xa, [438]=0x26, [439]=0x0, [440]=0xde, [441]=0x10, [442]=0x6, [443]=0x14, [444]=0xfe, [445]=0x1, [446]=0xc, [447]=0x8, [448]=0x2d, [449]=0x7, [450]=0x6, [451]=0x6f, [452]=0x20, [453]=0x0, [454]=0x0, [455]=0xa, [456]=0x0, [457]=0xdc, [458]=0x0, [459]=0x0, [460]=0xde, [461]=0x5, [462]=0x26, [463]=0x0, [464]=0x0, [465]=0xde, [466]=0x0, [467]=0x0, [468]=0x2a, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x1c, [474]=0x0, [475]=0x0, [476]=0x2, [477]=0x0, [478]=0x8, [479]=0x0, [480]=0x96, [481]=0x9e, [482]=0x0, [483]=0x10, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x1, [491]=0x0, [492]=0xb1, [493]=0xb2, [494]=0x0, [495]=0x5, [496]=0x1, [497]=0x0, [498]=0x0, [499]=0x1, [500]=0x1e, [501]=0x2, [502]=0x28, [503]=0x8c, [504]=0x0, [505]=0x0, [506]=0xa, [507]=0x2a, [508]=0x42, [509]=0xd0, [510]=0xd, [511]=0x0))) returned 0x0 [0135.691] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fee4*=0x412000, NumberOfBytesToProtect=0x26b1030, NewAccessProtection=0x4, OldAccessProtection=0x93fe88 | out: BaseAddress=0x93fee4*=0x412000, NumberOfBytesToProtect=0x26b1030, OldAccessProtection=0x93fe88*=0x4) returned 0x0 [0135.701] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x7e, [3]=0x51, [4]=0x0, [5]=0x0, [6]=0x4, [7]=0x20, [8]=0x99, [9]=0x38, [10]=0x0, [11]=0x0, [12]=0x28, [13]=0x52, [14]=0x0, [15]=0x0, [16]=0x6, [17]=0x13, [18]=0x4, [19]=0x73, [20]=0xd6, [21]=0x0, [22]=0x0, [23]=0xa, [24]=0x13, [25]=0x5, [26]=0x11, [27]=0x5, [28]=0x5, [29]=0x6f, [30]=0x6d, [31]=0x0, [32]=0x0, [33]=0xa, [34]=0x13, [35]=0x6, [36]=0x8, [37]=0x11, [38]=0x6, [39]=0x8e, [40]=0x69, [41]=0x6a, [42]=0x6f, [43]=0xd7, [44]=0x0, [45]=0x0, [46]=0xa, [47]=0x0, [48]=0x7e, [49]=0x51, [50]=0x0, [51]=0x0, [52]=0x4, [53]=0x20, [54]=0x77, [55]=0x39, [56]=0x0, [57]=0x0, [58]=0x28, [59]=0x52, [60]=0x0, [61]=0x0, [62]=0x6, [63]=0x13, [64]=0x7, [65]=0x7e, [66]=0x51, [67]=0x0, [68]=0x0, [69]=0x4, [70]=0x20, [71]=0x91, [72]=0x3a, [73]=0x0, [74]=0x0, [75]=0x28, [76]=0x52, [77]=0x0, [78]=0x0, [79]=0x6, [80]=0x13, [81]=0x8, [82]=0x8, [83]=0x6f, [84]=0xd8, [85]=0x0, [86]=0x0, [87]=0xa, [88]=0x13, [89]=0x9, [90]=0x0, [91]=0x11, [92]=0x9, [93]=0x11, [94]=0x6, [95]=0x16, [96]=0x11, [97]=0x6, [98]=0x8e, [99]=0x69, [100]=0x6f, [101]=0xd9, [102]=0x0, [103]=0x0, [104]=0xa, [105]=0x0, [106]=0x0, [107]=0xde, [108]=0x14, [109]=0x11, [110]=0x9, [111]=0x14, [112]=0xfe, [113]=0x1, [114]=0x13, [115]=0xd, [116]=0x11, [117]=0xd, [118]=0x2d, [119]=0x8, [120]=0x11, [121]=0x9, [122]=0x6f, [123]=0x20, [124]=0x0, [125]=0x0, [126]=0xa, [127]=0x0, [128]=0xdc, [129]=0x0, [130]=0x7e, [131]=0x51, [132]=0x0, [133]=0x0, [134]=0x4, [135]=0x20, [136]=0x87, [137]=0x3b, [138]=0x0, [139]=0x0, [140]=0x28, [141]=0x52, [142]=0x0, [143]=0x0, [144]=0x6, [145]=0x13, [146]=0xa, [147]=0x8, [148]=0x6f, [149]=0xda, [150]=0x0, [151]=0x0, [152]=0xa, [153]=0x74, [154]=0x81, [155]=0x0, [156]=0x0, [157]=0x1, [158]=0x13, [159]=0xb, [160]=0x0, [161]=0x0, [162]=0xde, [163]=0x14, [164]=0x11, [165]=0xb, [166]=0x14, [167]=0xfe, [168]=0x1, [169]=0x13, [170]=0xd, [171]=0x11, [172]=0xd, [173]=0x2d, [174]=0x8, [175]=0x11, [176]=0xb, [177]=0x6f, [178]=0x20, [179]=0x0, [180]=0x0, [181]=0xa, [182]=0x0, [183]=0xdc, [184]=0x0, [185]=0x0, [186]=0xde, [187]=0x5, [188]=0x26, [189]=0x0, [190]=0x0, [191]=0xde, [192]=0x0, [193]=0x0, [194]=0x2a, [195]=0x0, [196]=0x41, [197]=0x4c, [198]=0x0, [199]=0x0, [200]=0x2, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x26, [205]=0x1, [206]=0x0, [207]=0x0, [208]=0x13, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x39, [213]=0x1, [214]=0x0, [215]=0x0, [216]=0x14, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x2, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x6c, [229]=0x1, [230]=0x0, [231]=0x0, [232]=0x4, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x70, [237]=0x1, [238]=0x0, [239]=0x0, [240]=0x14, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x1, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x87, [257]=0x1, [258]=0x0, [259]=0x0, [260]=0x88, [261]=0x1, [262]=0x0, [263]=0x0, [264]=0x5, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x1, [269]=0x0, [270]=0x0, [271]=0x1, [272]=0x1b, [273]=0x30, [274]=0x6, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x21, [281]=0x0, [282]=0x0, [283]=0x11, [284]=0x0, [285]=0x0, [286]=0x73, [287]=0x25, [288]=0x0, [289]=0x0, [290]=0xa, [291]=0xa, [292]=0x0, [293]=0x6, [294]=0x3, [295]=0x4, [296]=0x73, [297]=0xd4, [298]=0x0, [299]=0x0, [300]=0xa, [301]=0x6f, [302]=0xdb, [303]=0x0, [304]=0x0, [305]=0xa, [306]=0x0, [307]=0x6, [308]=0x2, [309]=0x1c, [310]=0x8d, [311]=0x1b, [312]=0x0, [313]=0x0, [314]=0x1, [315]=0xb, [316]=0x7, [317]=0x16, [318]=0x7e, [319]=0x51, [320]=0x0, [321]=0x0, [322]=0x4, [323]=0x20, [324]=0xd6, [325]=0x36, [326]=0x0, [327]=0x0, [328]=0x28, [329]=0x52, [330]=0x0, [331]=0x0, [332]=0x6, [333]=0xa2, [334]=0x7, [335]=0x17, [336]=0x28, [337]=0xd0, [338]=0x0, [339]=0x0, [340]=0xa, [341]=0xa2, [342]=0x7, [343]=0x18, [344]=0x7e, [345]=0x51, [346]=0x0, [347]=0x0, [348]=0x4, [349]=0x20, [350]=0xe3, [351]=0x36, [352]=0x0, [353]=0x0, [354]=0x28, [355]=0x52, [356]=0x0, [357]=0x0, [358]=0x6, [359]=0xa2, [360]=0x7, [361]=0x19, [362]=0x28, [363]=0xd1, [364]=0x0, [365]=0x0, [366]=0xa, [367]=0xa2, [368]=0x7, [369]=0x1a, [370]=0x7e, [371]=0x51, [372]=0x0, [373]=0x0, [374]=0x4, [375]=0x20, [376]=0xf8, [377]=0x36, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0x52, [382]=0x0, [383]=0x0, [384]=0x6, [385]=0xa2, [386]=0x7, [387]=0x1b, [388]=0x5, [389]=0x28, [390]=0xe, [391]=0x0, [392]=0x0, [393]=0xa, [394]=0xa2, [395]=0x7, [396]=0x28, [397]=0x2a, [398]=0x0, [399]=0x0, [400]=0xa, [401]=0x16, [402]=0x8d, [403]=0x1, [404]=0x0, [405]=0x0, [406]=0x1, [407]=0x28, [408]=0xdc, [409]=0x0, [410]=0x0, [411]=0xa, [412]=0x28, [413]=0xd, [414]=0x0, [415]=0x0, [416]=0xa, [417]=0x7e, [418]=0x51, [419]=0x0, [420]=0x0, [421]=0x4, [422]=0x20, [423]=0x90, [424]=0x38, [425]=0x0, [426]=0x0, [427]=0x28, [428]=0x52, [429]=0x0, [430]=0x0, [431]=0x6, [432]=0x5, [433]=0x6f, [434]=0xdd, [435]=0x0, [436]=0x0, [437]=0xa, [438]=0x26, [439]=0x0, [440]=0xde, [441]=0x10, [442]=0x6, [443]=0x14, [444]=0xfe, [445]=0x1, [446]=0xc, [447]=0x8, [448]=0x2d, [449]=0x7, [450]=0x6, [451]=0x6f, [452]=0x20, [453]=0x0, [454]=0x0, [455]=0xa, [456]=0x0, [457]=0xdc, [458]=0x0, [459]=0x0, [460]=0xde, [461]=0x5, [462]=0x26, [463]=0x0, [464]=0x0, [465]=0xde, [466]=0x0, [467]=0x0, [468]=0x2a, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x1c, [474]=0x0, [475]=0x0, [476]=0x2, [477]=0x0, [478]=0x8, [479]=0x0, [480]=0x96, [481]=0x9e, [482]=0x0, [483]=0x10, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x1, [491]=0x0, [492]=0xb1, [493]=0xb2, [494]=0x0, [495]=0x5, [496]=0x1, [497]=0x0, [498]=0x0, [499]=0x1, [500]=0x1e, [501]=0x2, [502]=0x28, [503]=0x8c, [504]=0x0, [505]=0x0, [506]=0xa, [507]=0x2a, [508]=0x42, [509]=0xd0, [510]=0xd, [511]=0x0))) returned 0x0 [0135.711] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x93fee4*=0x414000, NumberOfBytesToProtect=0x26b1058, NewAccessProtection=0x4, OldAccessProtection=0x93fe88 | out: BaseAddress=0x93fee4*=0x414000, NumberOfBytesToProtect=0x26b1058, OldAccessProtection=0x93fe88*=0x4) returned 0x0 [0135.721] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x7e, [3]=0x51, [4]=0x0, [5]=0x0, [6]=0x4, [7]=0x20, [8]=0x99, [9]=0x38, [10]=0x0, [11]=0x0, [12]=0x28, [13]=0x52, [14]=0x0, [15]=0x0, [16]=0x6, [17]=0x13, [18]=0x4, [19]=0x73, [20]=0xd6, [21]=0x0, [22]=0x0, [23]=0xa, [24]=0x13, [25]=0x5, [26]=0x11, [27]=0x5, [28]=0x5, [29]=0x6f, [30]=0x6d, [31]=0x0, [32]=0x0, [33]=0xa, [34]=0x13, [35]=0x6, [36]=0x8, [37]=0x11, [38]=0x6, [39]=0x8e, [40]=0x69, [41]=0x6a, [42]=0x6f, [43]=0xd7, [44]=0x0, [45]=0x0, [46]=0xa, [47]=0x0, [48]=0x7e, [49]=0x51, [50]=0x0, [51]=0x0, [52]=0x4, [53]=0x20, [54]=0x77, [55]=0x39, [56]=0x0, [57]=0x0, [58]=0x28, [59]=0x52, [60]=0x0, [61]=0x0, [62]=0x6, [63]=0x13, [64]=0x7, [65]=0x7e, [66]=0x51, [67]=0x0, [68]=0x0, [69]=0x4, [70]=0x20, [71]=0x91, [72]=0x3a, [73]=0x0, [74]=0x0, [75]=0x28, [76]=0x52, [77]=0x0, [78]=0x0, [79]=0x6, [80]=0x13, [81]=0x8, [82]=0x8, [83]=0x6f, [84]=0xd8, [85]=0x0, [86]=0x0, [87]=0xa, [88]=0x13, [89]=0x9, [90]=0x0, [91]=0x11, [92]=0x9, [93]=0x11, [94]=0x6, [95]=0x16, [96]=0x11, [97]=0x6, [98]=0x8e, [99]=0x69, [100]=0x6f, [101]=0xd9, [102]=0x0, [103]=0x0, [104]=0xa, [105]=0x0, [106]=0x0, [107]=0xde, [108]=0x14, [109]=0x11, [110]=0x9, [111]=0x14, [112]=0xfe, [113]=0x1, [114]=0x13, [115]=0xd, [116]=0x11, [117]=0xd, [118]=0x2d, [119]=0x8, [120]=0x11, [121]=0x9, [122]=0x6f, [123]=0x20, [124]=0x0, [125]=0x0, [126]=0xa, [127]=0x0, [128]=0xdc, [129]=0x0, [130]=0x7e, [131]=0x51, [132]=0x0, [133]=0x0, [134]=0x4, [135]=0x20, [136]=0x87, [137]=0x3b, [138]=0x0, [139]=0x0, [140]=0x28, [141]=0x52, [142]=0x0, [143]=0x0, [144]=0x6, [145]=0x13, [146]=0xa, [147]=0x8, [148]=0x6f, [149]=0xda, [150]=0x0, [151]=0x0, [152]=0xa, [153]=0x74, [154]=0x81, [155]=0x0, [156]=0x0, [157]=0x1, [158]=0x13, [159]=0xb, [160]=0x0, [161]=0x0, [162]=0xde, [163]=0x14, [164]=0x11, [165]=0xb, [166]=0x14, [167]=0xfe, [168]=0x1, [169]=0x13, [170]=0xd, [171]=0x11, [172]=0xd, [173]=0x2d, [174]=0x8, [175]=0x11, [176]=0xb, [177]=0x6f, [178]=0x20, [179]=0x0, [180]=0x0, [181]=0xa, [182]=0x0, [183]=0xdc, [184]=0x0, [185]=0x0, [186]=0xde, [187]=0x5, [188]=0x26, [189]=0x0, [190]=0x0, [191]=0xde, [192]=0x0, [193]=0x0, [194]=0x2a, [195]=0x0, [196]=0x41, [197]=0x4c, [198]=0x0, [199]=0x0, [200]=0x2, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x26, [205]=0x1, [206]=0x0, [207]=0x0, [208]=0x13, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x39, [213]=0x1, [214]=0x0, [215]=0x0, [216]=0x14, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x2, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x6c, [229]=0x1, [230]=0x0, [231]=0x0, [232]=0x4, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x70, [237]=0x1, [238]=0x0, [239]=0x0, [240]=0x14, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x1, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x87, [257]=0x1, [258]=0x0, [259]=0x0, [260]=0x88, [261]=0x1, [262]=0x0, [263]=0x0, [264]=0x5, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x1, [269]=0x0, [270]=0x0, [271]=0x1, [272]=0x1b, [273]=0x30, [274]=0x6, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x21, [281]=0x0, [282]=0x0, [283]=0x11, [284]=0x0, [285]=0x0, [286]=0x73, [287]=0x25, [288]=0x0, [289]=0x0, [290]=0xa, [291]=0xa, [292]=0x0, [293]=0x6, [294]=0x3, [295]=0x4, [296]=0x73, [297]=0xd4, [298]=0x0, [299]=0x0, [300]=0xa, [301]=0x6f, [302]=0xdb, [303]=0x0, [304]=0x0, [305]=0xa, [306]=0x0, [307]=0x6, [308]=0x2, [309]=0x1c, [310]=0x8d, [311]=0x1b, [312]=0x0, [313]=0x0, [314]=0x1, [315]=0xb, [316]=0x7, [317]=0x16, [318]=0x7e, [319]=0x51, [320]=0x0, [321]=0x0, [322]=0x4, [323]=0x20, [324]=0xd6, [325]=0x36, [326]=0x0, [327]=0x0, [328]=0x28, [329]=0x52, [330]=0x0, [331]=0x0, [332]=0x6, [333]=0xa2, [334]=0x7, [335]=0x17, [336]=0x28, [337]=0xd0, [338]=0x0, [339]=0x0, [340]=0xa, [341]=0xa2, [342]=0x7, [343]=0x18, [344]=0x7e, [345]=0x51, [346]=0x0, [347]=0x0, [348]=0x4, [349]=0x20, [350]=0xe3, [351]=0x36, [352]=0x0, [353]=0x0, [354]=0x28, [355]=0x52, [356]=0x0, [357]=0x0, [358]=0x6, [359]=0xa2, [360]=0x7, [361]=0x19, [362]=0x28, [363]=0xd1, [364]=0x0, [365]=0x0, [366]=0xa, [367]=0xa2, [368]=0x7, [369]=0x1a, [370]=0x7e, [371]=0x51, [372]=0x0, [373]=0x0, [374]=0x4, [375]=0x20, [376]=0xf8, [377]=0x36, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0x52, [382]=0x0, [383]=0x0, [384]=0x6, [385]=0xa2, [386]=0x7, [387]=0x1b, [388]=0x5, [389]=0x28, [390]=0xe, [391]=0x0, [392]=0x0, [393]=0xa, [394]=0xa2, [395]=0x7, [396]=0x28, [397]=0x2a, [398]=0x0, [399]=0x0, [400]=0xa, [401]=0x16, [402]=0x8d, [403]=0x1, [404]=0x0, [405]=0x0, [406]=0x1, [407]=0x28, [408]=0xdc, [409]=0x0, [410]=0x0, [411]=0xa, [412]=0x28, [413]=0xd, [414]=0x0, [415]=0x0, [416]=0xa, [417]=0x7e, [418]=0x51, [419]=0x0, [420]=0x0, [421]=0x4, [422]=0x20, [423]=0x90, [424]=0x38, [425]=0x0, [426]=0x0, [427]=0x28, [428]=0x52, [429]=0x0, [430]=0x0, [431]=0x6, [432]=0x5, [433]=0x6f, [434]=0xdd, [435]=0x0, [436]=0x0, [437]=0xa, [438]=0x26, [439]=0x0, [440]=0xde, [441]=0x10, [442]=0x6, [443]=0x14, [444]=0xfe, [445]=0x1, [446]=0xc, [447]=0x8, [448]=0x2d, [449]=0x7, [450]=0x6, [451]=0x6f, [452]=0x20, [453]=0x0, [454]=0x0, [455]=0xa, [456]=0x0, [457]=0xdc, [458]=0x0, [459]=0x0, [460]=0xde, [461]=0x5, [462]=0x26, [463]=0x0, [464]=0x0, [465]=0xde, [466]=0x0, [467]=0x0, [468]=0x2a, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x1c, [474]=0x0, [475]=0x0, [476]=0x2, [477]=0x0, [478]=0x8, [479]=0x0, [480]=0x96, [481]=0x9e, [482]=0x0, [483]=0x10, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x1, [491]=0x0, [492]=0xb1, [493]=0xb2, [494]=0x0, [495]=0x5, [496]=0x1, [497]=0x0, [498]=0x0, [499]=0x1, [500]=0x1e, [501]=0x2, [502]=0x28, [503]=0x8c, [504]=0x0, [505]=0x0, [506]=0xa, [507]=0x2a, [508]=0x42, [509]=0xd0, [510]=0xd, [511]=0x0))) returned 0x0 [0135.730] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x26b0800*=0x400000, NumberOfBytesToProtect=0x26b080c, NewAccessProtection=0x2, OldAccessProtection=0x93fe88 | out: BaseAddress=0x26b0800*=0x400000, NumberOfBytesToProtect=0x26b080c, OldAccessProtection=0x93fe88*=0x4) returned 0x0 [0135.740] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x97b6fd, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x358 [0135.751] NtGetContextThread (in: ThreadHandle=0xfffffffe, Context=0x26c5044 | out: Context=0x26c5044*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0135.761] NtSetInformationThread (ThreadHandle=0x358, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0135.763] Sleep (dwMilliseconds=0x800) [0137.847] TerminateThread (hThread=0xfffffffe, dwExitCode=0x0) Thread: id = 9 os_tid = 0x518 Thread: id = 10 os_tid = 0xf8c Thread: id = 11 os_tid = 0xfd8 Thread: id = 12 os_tid = 0x4e4 Thread: id = 13 os_tid = 0x378 Thread: id = 14 os_tid = 0xd00 [0184.581] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0184.616] RoInitialize () returned 0x1 [0184.654] RoUninitialize () returned 0x0 [0255.666] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\3747bdbf-0ef0-42d8-9234-70d68801f407") returned 0x640 [0255.935] CloseHandle (hObject=0x640) returned 1 [0255.991] GetCurrentProcessId () returned 0x4b4 [0257.058] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1f16e554 | out: lpLuid=0x1f16e554*(LowPart=0x14, HighPart=0)) returned 1 [0257.071] GetCurrentProcess () returned 0xffffffff [0257.071] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x1f16e550 | out: TokenHandle=0x1f16e550*=0x2d0) returned 1 [0257.078] AdjustTokenPrivileges (in: TokenHandle=0x2d0, DisableAllPrivileges=0, NewState=0x1f3e7d68*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0257.079] CloseHandle (hObject=0x2d0) returned 1 [0257.374] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4b4) returned 0x2d0 [0257.665] EnumProcessModules (in: hProcess=0x2d0, lphModule=0x1f3e7dac, cb=0x100, lpcbNeeded=0x1f16ecc4 | out: lphModule=0x1f3e7dac, lpcbNeeded=0x1f16ecc4) returned 1 [0257.686] EnumProcessModules (in: hProcess=0x2d0, lphModule=0x1f3e7eb8, cb=0x200, lpcbNeeded=0x1f16ecc4 | out: lphModule=0x1f3e7eb8, lpcbNeeded=0x1f16ecc4) returned 1 [0257.968] GetModuleInformation (in: hProcess=0x2d0, hModule=0x400000, lpmodinfo=0x1f3e8104, cb=0xc | out: lpmodinfo=0x1f3e8104*(lpBaseOfDll=0x400000, SizeOfImage=0x16000, EntryPoint=0x410436)) returned 1 [0257.999] CoTaskMemAlloc (cb=0x804) returned 0xed6f88 [0257.999] GetModuleBaseNameW (in: hProcess=0x2d0, hModule=0x400000, lpBaseName=0xed6f88, nSize=0x800 | out: lpBaseName="RegAsm.exe") returned 0xa [0258.037] CoTaskMemFree (pv=0xed6f88) [0258.037] CoTaskMemAlloc (cb=0x804) returned 0xed6f88 [0258.037] GetModuleFileNameExW (in: hProcess=0x2d0, hModule=0x400000, lpFilename=0xed6f88, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\regasm.exe")) returned 0x38 [0258.083] CoTaskMemFree (pv=0xed6f88) [0258.160] CloseHandle (hObject=0x2d0) returned 1 [0258.859] CoTaskMemAlloc (cb=0x20c) returned 0xe9ff20 [0258.859] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0xe9ff20 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0258.862] CoTaskMemFree (pv=0xe9ff20) [0259.691] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x1f16e4c0 | out: phkResult=0x1f16e4c0*=0x0) returned 0x2 [0259.711] RegCloseKey (hKey=0x80000002) returned 0x0 [0261.088] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", nBufferLength=0x105, lpBuffer=0x1f16e714, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpFilePart=0x0) returned 0x4d [0264.337] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0264.576] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0264.609] GetCurrentProcess () returned 0xffffffff [0264.610] GetCurrentProcess () returned 0xffffffff [0264.610] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x650) returned 1 [0264.610] CloseHandle (hObject=0x2d0) returned 1 [0264.610] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0264.611] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0264.611] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0264.611] CoTaskMemFree (pv=0xed7c70) [0264.652] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop avpsus /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3ec01c | out: lpCommandLine="\"net.exe\" stop avpsus /y", lpProcessInformation=0x1f3ec01c*(hProcess=0x654, hThread=0x2d0, dwProcessId=0x13d4, dwThreadId=0x1388)) returned 1 [0265.226] CloseHandle (hObject=0x64c) returned 1 [0265.351] GetFileType (hFile=0x650) returned 0x3 [0265.392] CloseHandle (hObject=0x2d0) returned 1 [0265.483] ReadFile (in: hFile=0x650, lpBuffer=0x1f3ec7b4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3ec7b4, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0273.422] GetCurrentProcess () returned 0xffffffff [0273.422] GetCurrentProcess () returned 0xffffffff [0273.424] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0273.439] CloseHandle (hObject=0x2d0) returned 1 [0273.460] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0273.461] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0273.462] GetCurrentProcess () returned 0xffffffff [0273.462] GetCurrentProcess () returned 0xffffffff [0273.462] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x65c) returned 1 [0273.462] CloseHandle (hObject=0x2d0) returned 1 [0273.462] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0273.462] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0273.462] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0273.462] CoTaskMemFree (pv=0xed7c70) [0273.463] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop McAfeeDLPAgentService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3efa78 | out: lpCommandLine="\"net.exe\" stop McAfeeDLPAgentService /y", lpProcessInformation=0x1f3efa78*(hProcess=0x658, hThread=0x2d0, dwProcessId=0x107c, dwThreadId=0xfe8)) returned 1 [0273.480] CloseHandle (hObject=0x64c) returned 1 [0273.480] GetFileType (hFile=0x65c) returned 0x3 [0273.522] CloseHandle (hObject=0x2d0) returned 1 [0273.522] ReadFile (in: hFile=0x65c, lpBuffer=0x1f3eff5c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3eff5c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0275.426] GetCurrentProcess () returned 0xffffffff [0275.426] GetCurrentProcess () returned 0xffffffff [0275.426] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x658, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0275.430] CloseHandle (hObject=0x2d0) returned 1 [0275.430] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0275.430] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0275.430] GetCurrentProcess () returned 0xffffffff [0275.431] GetCurrentProcess () returned 0xffffffff [0275.431] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x66c) returned 1 [0275.431] CloseHandle (hObject=0x2d0) returned 1 [0275.431] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0275.431] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0275.431] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0275.431] CoTaskMemFree (pv=0xed7c70) [0275.431] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop mfewc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3f3210 | out: lpCommandLine="\"net.exe\" stop mfewc /y", lpProcessInformation=0x1f3f3210*(hProcess=0x668, hThread=0x2d0, dwProcessId=0x4f0, dwThreadId=0x510)) returned 1 [0275.442] CloseHandle (hObject=0x64c) returned 1 [0275.442] GetFileType (hFile=0x66c) returned 0x3 [0275.442] CloseHandle (hObject=0x2d0) returned 1 [0275.442] ReadFile (in: hFile=0x66c, lpBuffer=0x1f3f36e4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3f36e4, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0278.815] GetCurrentProcess () returned 0xffffffff [0278.815] GetCurrentProcess () returned 0xffffffff [0278.815] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x668, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0278.818] CloseHandle (hObject=0x2d0) returned 1 [0278.819] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0278.819] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0278.820] GetCurrentProcess () returned 0xffffffff [0278.820] GetCurrentProcess () returned 0xffffffff [0278.820] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x674) returned 1 [0278.820] CloseHandle (hObject=0x2d0) returned 1 [0278.820] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0278.820] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0278.820] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0278.820] CoTaskMemFree (pv=0xed7c70) [0278.820] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BMR Boot Service /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eadc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3f699c | out: lpCommandLine="\"net.exe\" stop BMR Boot Service /y", lpProcessInformation=0x1f3f699c*(hProcess=0x670, hThread=0x2d0, dwProcessId=0x12bc, dwThreadId=0x133c)) returned 1 [0278.833] CloseHandle (hObject=0x64c) returned 1 [0278.833] GetFileType (hFile=0x674) returned 0x3 [0278.834] CloseHandle (hObject=0x2d0) returned 1 [0278.834] ReadFile (in: hFile=0x674, lpBuffer=0x1f3f6e78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3f6e78, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0281.422] GetCurrentProcess () returned 0xffffffff [0281.422] GetCurrentProcess () returned 0xffffffff [0281.422] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x670, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0281.426] CloseHandle (hObject=0x2d0) returned 1 [0281.426] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0281.426] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0281.426] GetCurrentProcess () returned 0xffffffff [0281.426] GetCurrentProcess () returned 0xffffffff [0281.426] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x67c) returned 1 [0281.427] CloseHandle (hObject=0x2d0) returned 1 [0281.427] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0281.427] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0281.427] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0281.427] CoTaskMemFree (pv=0xed7c70) [0281.427] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop NetBackup BMR MTFTP Service /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eac4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3fa148 | out: lpCommandLine="\"net.exe\" stop NetBackup BMR MTFTP Service /y", lpProcessInformation=0x1f3fa148*(hProcess=0x678, hThread=0x2d0, dwProcessId=0x10a8, dwThreadId=0x10a4)) returned 1 [0281.439] CloseHandle (hObject=0x64c) returned 1 [0281.439] GetFileType (hFile=0x67c) returned 0x3 [0281.439] CloseHandle (hObject=0x2d0) returned 1 [0281.439] ReadFile (in: hFile=0x67c, lpBuffer=0x1f3fa638, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3fa638, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0281.963] GetCurrentProcess () returned 0xffffffff [0281.963] GetCurrentProcess () returned 0xffffffff [0281.963] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x678, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0281.966] CloseHandle (hObject=0x2d0) returned 1 [0281.966] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0281.966] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0281.967] GetCurrentProcess () returned 0xffffffff [0281.967] GetCurrentProcess () returned 0xffffffff [0281.967] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x684) returned 1 [0281.967] CloseHandle (hObject=0x2d0) returned 1 [0281.967] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0281.967] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0281.967] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0281.967] CoTaskMemFree (pv=0xed7c70) [0281.967] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop DefWatch /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f3fd8ec | out: lpCommandLine="\"net.exe\" stop DefWatch /y", lpProcessInformation=0x1f3fd8ec*(hProcess=0x680, hThread=0x2d0, dwProcessId=0x10f8, dwThreadId=0x125c)) returned 1 [0281.977] CloseHandle (hObject=0x64c) returned 1 [0281.983] GetFileType (hFile=0x684) returned 0x3 [0281.983] CloseHandle (hObject=0x2d0) returned 1 [0281.983] ReadFile (in: hFile=0x684, lpBuffer=0x1f3fddc0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f3fddc0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0282.332] GetCurrentProcess () returned 0xffffffff [0282.332] GetCurrentProcess () returned 0xffffffff [0282.332] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x680, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0282.334] CloseHandle (hObject=0x2d0) returned 1 [0282.334] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0282.334] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0282.334] GetCurrentProcess () returned 0xffffffff [0282.334] GetCurrentProcess () returned 0xffffffff [0282.335] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x68c) returned 1 [0282.335] CloseHandle (hObject=0x2d0) returned 1 [0282.335] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0282.335] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0282.335] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0282.335] CoTaskMemFree (pv=0xed7c70) [0282.335] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop ccEvtMgr /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f401074 | out: lpCommandLine="\"net.exe\" stop ccEvtMgr /y", lpProcessInformation=0x1f401074*(hProcess=0x688, hThread=0x2d0, dwProcessId=0xac8, dwThreadId=0x1ec)) returned 1 [0282.349] CloseHandle (hObject=0x64c) returned 1 [0282.349] GetFileType (hFile=0x68c) returned 0x3 [0282.349] CloseHandle (hObject=0x2d0) returned 1 [0282.349] ReadFile (in: hFile=0x68c, lpBuffer=0x1f401548, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f401548, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0282.717] GetCurrentProcess () returned 0xffffffff [0282.717] GetCurrentProcess () returned 0xffffffff [0282.717] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x688, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0282.720] CloseHandle (hObject=0x2d0) returned 1 [0282.725] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0282.725] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0282.726] GetCurrentProcess () returned 0xffffffff [0282.726] GetCurrentProcess () returned 0xffffffff [0282.726] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x694) returned 1 [0282.726] CloseHandle (hObject=0x2d0) returned 1 [0282.726] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0282.726] CoTaskMemAlloc (cb=0x20e) returned 0xed5388 [0282.726] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed5388 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0282.726] CoTaskMemFree (pv=0xed5388) [0282.726] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop ccSetMgr /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f4047fc | out: lpCommandLine="\"net.exe\" stop ccSetMgr /y", lpProcessInformation=0x1f4047fc*(hProcess=0x690, hThread=0x2d0, dwProcessId=0x10b8, dwThreadId=0x10dc)) returned 1 [0282.738] CloseHandle (hObject=0x64c) returned 1 [0282.738] GetFileType (hFile=0x694) returned 0x3 [0282.738] CloseHandle (hObject=0x2d0) returned 1 [0282.738] ReadFile (in: hFile=0x694, lpBuffer=0x1f404cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f404cd0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0283.171] GetCurrentProcess () returned 0xffffffff [0283.171] GetCurrentProcess () returned 0xffffffff [0283.171] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x690, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0283.173] CloseHandle (hObject=0x2d0) returned 1 [0283.174] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0283.174] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0283.174] GetCurrentProcess () returned 0xffffffff [0283.174] GetCurrentProcess () returned 0xffffffff [0283.174] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x69c) returned 1 [0283.175] CloseHandle (hObject=0x2d0) returned 1 [0283.175] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0283.175] CoTaskMemAlloc (cb=0x20e) returned 0xed5388 [0283.175] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed5388 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0283.175] CoTaskMemFree (pv=0xed5388) [0283.175] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop SavRoam /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f407f84 | out: lpCommandLine="\"net.exe\" stop SavRoam /y", lpProcessInformation=0x1f407f84*(hProcess=0x698, hThread=0x2d0, dwProcessId=0xfb8, dwThreadId=0xfdc)) returned 1 [0283.190] CloseHandle (hObject=0x64c) returned 1 [0283.190] GetFileType (hFile=0x69c) returned 0x3 [0283.190] CloseHandle (hObject=0x2d0) returned 1 [0283.190] ReadFile (in: hFile=0x69c, lpBuffer=0x1f408458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f408458, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0283.595] GetCurrentProcess () returned 0xffffffff [0283.595] GetCurrentProcess () returned 0xffffffff [0283.595] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x698, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0283.597] CloseHandle (hObject=0x2d0) returned 1 [0283.602] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0283.603] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0283.603] GetCurrentProcess () returned 0xffffffff [0283.603] GetCurrentProcess () returned 0xffffffff [0283.603] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6a4) returned 1 [0283.603] CloseHandle (hObject=0x2d0) returned 1 [0283.603] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0283.603] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0283.603] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0283.603] CoTaskMemFree (pv=0xed7c70) [0283.603] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop RTVscan /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f40b70c | out: lpCommandLine="\"net.exe\" stop RTVscan /y", lpProcessInformation=0x1f40b70c*(hProcess=0x6a0, hThread=0x2d0, dwProcessId=0xee0, dwThreadId=0xf58)) returned 1 [0283.617] CloseHandle (hObject=0x64c) returned 1 [0283.617] GetFileType (hFile=0x6a4) returned 0x3 [0283.620] CloseHandle (hObject=0x2d0) returned 1 [0283.620] ReadFile (in: hFile=0x6a4, lpBuffer=0x1f40bbe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f40bbe0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0284.166] GetCurrentProcess () returned 0xffffffff [0284.166] GetCurrentProcess () returned 0xffffffff [0284.166] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0284.168] CloseHandle (hObject=0x2d0) returned 1 [0284.168] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0284.168] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0284.168] GetCurrentProcess () returned 0xffffffff [0284.169] GetCurrentProcess () returned 0xffffffff [0284.169] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6ac) returned 1 [0284.169] CloseHandle (hObject=0x2d0) returned 1 [0284.169] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0284.169] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0284.169] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0284.169] CoTaskMemFree (pv=0xed7c70) [0284.169] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop QBFCService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f40ee94 | out: lpCommandLine="\"net.exe\" stop QBFCService /y", lpProcessInformation=0x1f40ee94*(hProcess=0x6a8, hThread=0x2d0, dwProcessId=0x130c, dwThreadId=0x1244)) returned 1 [0284.181] CloseHandle (hObject=0x64c) returned 1 [0284.181] GetFileType (hFile=0x6ac) returned 0x3 [0284.181] CloseHandle (hObject=0x2d0) returned 1 [0284.181] ReadFile (in: hFile=0x6ac, lpBuffer=0x1f40f368, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f40f368, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0284.643] GetCurrentProcess () returned 0xffffffff [0284.643] GetCurrentProcess () returned 0xffffffff [0284.643] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0284.650] CloseHandle (hObject=0x2d0) returned 1 [0284.661] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0284.661] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0284.662] GetCurrentProcess () returned 0xffffffff [0284.662] GetCurrentProcess () returned 0xffffffff [0284.662] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6b4) returned 1 [0284.662] CloseHandle (hObject=0x2d0) returned 1 [0284.662] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0284.662] CoTaskMemAlloc (cb=0x20e) returned 0xed5388 [0284.662] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed5388 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0284.662] CoTaskMemFree (pv=0xed5388) [0284.662] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop QBIDPService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f41261c | out: lpCommandLine="\"net.exe\" stop QBIDPService /y", lpProcessInformation=0x1f41261c*(hProcess=0x6b0, hThread=0x2d0, dwProcessId=0x1330, dwThreadId=0x12e4)) returned 1 [0284.679] CloseHandle (hObject=0x64c) returned 1 [0284.680] GetFileType (hFile=0x6b4) returned 0x3 [0284.680] CloseHandle (hObject=0x2d0) returned 1 [0284.680] ReadFile (in: hFile=0x6b4, lpBuffer=0x1f412af0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f412af0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0285.126] GetCurrentProcess () returned 0xffffffff [0285.126] GetCurrentProcess () returned 0xffffffff [0285.126] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0285.129] CloseHandle (hObject=0x2d0) returned 1 [0285.129] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0285.129] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0285.129] GetCurrentProcess () returned 0xffffffff [0285.129] GetCurrentProcess () returned 0xffffffff [0285.129] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6bc) returned 1 [0285.129] CloseHandle (hObject=0x2d0) returned 1 [0285.129] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0285.129] CoTaskMemAlloc (cb=0x20e) returned 0xed5388 [0285.129] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed5388 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0285.129] CoTaskMemFree (pv=0xed5388) [0285.130] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop Intuit.QuickBooks.FCS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f415db4 | out: lpCommandLine="\"net.exe\" stop Intuit.QuickBooks.FCS /y", lpProcessInformation=0x1f415db4*(hProcess=0x6b8, hThread=0x2d0, dwProcessId=0x11dc, dwThreadId=0x1290)) returned 1 [0285.142] CloseHandle (hObject=0x64c) returned 1 [0285.142] GetFileType (hFile=0x6bc) returned 0x3 [0285.142] CloseHandle (hObject=0x2d0) returned 1 [0285.142] ReadFile (in: hFile=0x6bc, lpBuffer=0x1f416298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f416298, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0285.550] GetCurrentProcess () returned 0xffffffff [0285.550] GetCurrentProcess () returned 0xffffffff [0285.550] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0285.552] CloseHandle (hObject=0x2d0) returned 1 [0285.558] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0285.558] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0285.558] GetCurrentProcess () returned 0xffffffff [0285.558] GetCurrentProcess () returned 0xffffffff [0285.558] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6c4) returned 1 [0285.558] CloseHandle (hObject=0x2d0) returned 1 [0285.558] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0285.558] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0285.558] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0285.558] CoTaskMemFree (pv=0xed7c70) [0285.558] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop QBCFMonitorService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f419554 | out: lpCommandLine="\"net.exe\" stop QBCFMonitorService /y", lpProcessInformation=0x1f419554*(hProcess=0x6c0, hThread=0x2d0, dwProcessId=0x1154, dwThreadId=0x1318)) returned 1 [0285.571] CloseHandle (hObject=0x64c) returned 1 [0285.571] GetFileType (hFile=0x6c4) returned 0x3 [0285.571] CloseHandle (hObject=0x2d0) returned 1 [0285.571] ReadFile (in: hFile=0x6c4, lpBuffer=0x1f419a34, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f419a34, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0286.069] GetCurrentProcess () returned 0xffffffff [0286.069] GetCurrentProcess () returned 0xffffffff [0286.070] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0286.073] CloseHandle (hObject=0x2d0) returned 1 [0286.073] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0286.073] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0286.073] GetCurrentProcess () returned 0xffffffff [0286.074] GetCurrentProcess () returned 0xffffffff [0286.074] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6cc) returned 1 [0286.074] CloseHandle (hObject=0x2d0) returned 1 [0286.074] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.074] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0286.074] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0286.074] CoTaskMemFree (pv=0xed7c70) [0286.074] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop YooBackup /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f41cce8 | out: lpCommandLine="\"net.exe\" stop YooBackup /y", lpProcessInformation=0x1f41cce8*(hProcess=0x6c8, hThread=0x2d0, dwProcessId=0x1258, dwThreadId=0x11c0)) returned 1 [0286.086] CloseHandle (hObject=0x64c) returned 1 [0286.086] GetFileType (hFile=0x6cc) returned 0x3 [0286.087] CloseHandle (hObject=0x2d0) returned 1 [0286.087] ReadFile (in: hFile=0x6cc, lpBuffer=0x1f41d1bc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f41d1bc, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0286.483] GetCurrentProcess () returned 0xffffffff [0286.484] GetCurrentProcess () returned 0xffffffff [0286.484] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0286.487] CloseHandle (hObject=0x2d0) returned 1 [0286.487] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0286.487] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0286.487] GetCurrentProcess () returned 0xffffffff [0286.487] GetCurrentProcess () returned 0xffffffff [0286.487] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6d4) returned 1 [0286.487] CloseHandle (hObject=0x2d0) returned 1 [0286.488] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.488] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0286.488] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0286.488] CoTaskMemFree (pv=0xed7c70) [0286.488] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop YooIT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f420470 | out: lpCommandLine="\"net.exe\" stop YooIT /y", lpProcessInformation=0x1f420470*(hProcess=0x6d0, hThread=0x2d0, dwProcessId=0x1314, dwThreadId=0x12ac)) returned 1 [0286.506] CloseHandle (hObject=0x64c) returned 1 [0286.506] GetFileType (hFile=0x6d4) returned 0x3 [0286.506] CloseHandle (hObject=0x2d0) returned 1 [0286.506] ReadFile (in: hFile=0x6d4, lpBuffer=0x1f420944, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f420944, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0286.855] GetCurrentProcess () returned 0xffffffff [0286.855] GetCurrentProcess () returned 0xffffffff [0286.855] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x2d0) returned 1 [0286.857] CloseHandle (hObject=0x2d0) returned 1 [0286.862] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0286.863] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x2d0, hWritePipe=0x1f16eb94*=0x64c) returned 1 [0286.863] GetCurrentProcess () returned 0xffffffff [0286.863] GetCurrentProcess () returned 0xffffffff [0286.863] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6dc) returned 1 [0286.863] CloseHandle (hObject=0x2d0) returned 1 [0286.863] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.863] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0286.863] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0286.863] CoTaskMemFree (pv=0xed7c70) [0286.863] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop zhudongfangyu /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x64c, hStdError=0x94), lpProcessInformation=0x1f423bf8 | out: lpCommandLine="\"net.exe\" stop zhudongfangyu /y", lpProcessInformation=0x1f423bf8*(hProcess=0x6d8, hThread=0x2d0, dwProcessId=0xed0, dwThreadId=0xeac)) returned 1 [0286.873] CloseHandle (hObject=0x64c) returned 1 [0286.873] GetFileType (hFile=0x6dc) returned 0x3 [0286.874] CloseHandle (hObject=0x2d0) returned 1 [0286.874] ReadFile (in: hFile=0x6dc, lpBuffer=0x1f4240cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4240cc, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0287.316] GetCurrentProcess () returned 0xffffffff [0287.316] GetCurrentProcess () returned 0xffffffff [0287.316] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0287.319] CloseHandle (hObject=0x3ec) returned 1 [0287.319] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0287.319] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0287.319] GetCurrentProcess () returned 0xffffffff [0287.319] GetCurrentProcess () returned 0xffffffff [0287.319] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x64c) returned 1 [0287.319] CloseHandle (hObject=0x3ec) returned 1 [0287.319] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0287.319] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0287.319] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0287.319] CoTaskMemFree (pv=0xed7c70) [0287.319] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop stc_raw_agent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f427380 | out: lpCommandLine="\"net.exe\" stop stc_raw_agent /y", lpProcessInformation=0x1f427380*(hProcess=0x6e4, hThread=0x3ec, dwProcessId=0x1094, dwThreadId=0x119c)) returned 1 [0287.330] CloseHandle (hObject=0x2d0) returned 1 [0287.330] GetFileType (hFile=0x64c) returned 0x3 [0287.331] CloseHandle (hObject=0x3ec) returned 1 [0287.331] ReadFile (in: hFile=0x64c, lpBuffer=0x1f427854, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f427854, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0287.691] GetCurrentProcess () returned 0xffffffff [0287.691] GetCurrentProcess () returned 0xffffffff [0287.691] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0287.694] CloseHandle (hObject=0x3ec) returned 1 [0287.694] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0287.694] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0287.694] GetCurrentProcess () returned 0xffffffff [0287.694] GetCurrentProcess () returned 0xffffffff [0287.694] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6e8) returned 1 [0287.694] CloseHandle (hObject=0x3ec) returned 1 [0287.694] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0287.694] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0287.694] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0287.694] CoTaskMemFree (pv=0xed7c70) [0287.695] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop VSNAPVSS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f42ab08 | out: lpCommandLine="\"net.exe\" stop VSNAPVSS /y", lpProcessInformation=0x1f42ab08*(hProcess=0x6e0, hThread=0x3ec, dwProcessId=0x1210, dwThreadId=0x1294)) returned 1 [0287.705] CloseHandle (hObject=0x2d0) returned 1 [0287.705] GetFileType (hFile=0x6e8) returned 0x3 [0287.705] CloseHandle (hObject=0x3ec) returned 1 [0287.705] ReadFile (in: hFile=0x6e8, lpBuffer=0x1f42afdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f42afdc, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0288.205] GetCurrentProcess () returned 0xffffffff [0288.205] GetCurrentProcess () returned 0xffffffff [0288.205] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0288.208] CloseHandle (hObject=0x3ec) returned 1 [0288.209] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0288.209] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0288.209] GetCurrentProcess () returned 0xffffffff [0288.209] GetCurrentProcess () returned 0xffffffff [0288.209] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6f0) returned 1 [0288.209] CloseHandle (hObject=0x3ec) returned 1 [0288.209] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0288.209] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0288.209] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0288.209] CoTaskMemFree (pv=0xed7c70) [0288.209] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop VeeamTransportSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f42e298 | out: lpCommandLine="\"net.exe\" stop VeeamTransportSvc /y", lpProcessInformation=0x1f42e298*(hProcess=0x6ec, hThread=0x3ec, dwProcessId=0x129c, dwThreadId=0x1124)) returned 1 [0288.222] CloseHandle (hObject=0x2d0) returned 1 [0288.227] GetFileType (hFile=0x6f0) returned 0x3 [0288.228] CloseHandle (hObject=0x3ec) returned 1 [0288.228] ReadFile (in: hFile=0x6f0, lpBuffer=0x1f42e774, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f42e774, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0288.664] GetCurrentProcess () returned 0xffffffff [0288.664] GetCurrentProcess () returned 0xffffffff [0288.665] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0288.667] CloseHandle (hObject=0x3ec) returned 1 [0288.667] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0288.668] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0288.668] GetCurrentProcess () returned 0xffffffff [0288.668] GetCurrentProcess () returned 0xffffffff [0288.668] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x6f8) returned 1 [0288.668] CloseHandle (hObject=0x3ec) returned 1 [0288.668] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0288.668] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0288.668] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0288.668] CoTaskMemFree (pv=0xed7c70) [0288.668] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop VeeamDeploymentService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f431a38 | out: lpCommandLine="\"net.exe\" stop VeeamDeploymentService /y", lpProcessInformation=0x1f431a38*(hProcess=0x6f4, hThread=0x3ec, dwProcessId=0xc18, dwThreadId=0xbf8)) returned 1 [0288.679] CloseHandle (hObject=0x2d0) returned 1 [0288.680] GetFileType (hFile=0x6f8) returned 0x3 [0288.680] CloseHandle (hObject=0x3ec) returned 1 [0288.680] ReadFile (in: hFile=0x6f8, lpBuffer=0x1f431f20, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f431f20, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0289.529] GetCurrentProcess () returned 0xffffffff [0289.529] GetCurrentProcess () returned 0xffffffff [0289.529] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0289.532] CloseHandle (hObject=0x3ec) returned 1 [0289.532] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0289.532] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0289.532] GetCurrentProcess () returned 0xffffffff [0289.532] GetCurrentProcess () returned 0xffffffff [0289.532] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x700) returned 1 [0289.532] CloseHandle (hObject=0x3ec) returned 1 [0289.532] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0289.532] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0289.532] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0289.532] CoTaskMemFree (pv=0xed7c70) [0289.532] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop VeeamNFSSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f4351d4 | out: lpCommandLine="\"net.exe\" stop VeeamNFSSvc /y", lpProcessInformation=0x1f4351d4*(hProcess=0x6fc, hThread=0x3ec, dwProcessId=0xe28, dwThreadId=0xe18)) returned 1 [0289.545] CloseHandle (hObject=0x2d0) returned 1 [0289.545] GetFileType (hFile=0x700) returned 0x3 [0289.545] CloseHandle (hObject=0x3ec) returned 1 [0289.546] ReadFile (in: hFile=0x700, lpBuffer=0x1f4356a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4356a8, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0289.930] GetCurrentProcess () returned 0xffffffff [0289.930] GetCurrentProcess () returned 0xffffffff [0289.930] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x6fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0289.933] CloseHandle (hObject=0x3ec) returned 1 [0289.933] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0289.933] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0289.933] GetCurrentProcess () returned 0xffffffff [0289.933] GetCurrentProcess () returned 0xffffffff [0289.934] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x708) returned 1 [0289.934] CloseHandle (hObject=0x3ec) returned 1 [0289.934] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0289.934] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0289.934] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0289.934] CoTaskMemFree (pv=0xed7c70) [0289.934] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop veeam /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f43895c | out: lpCommandLine="\"net.exe\" stop veeam /y", lpProcessInformation=0x1f43895c*(hProcess=0x704, hThread=0x3ec, dwProcessId=0x900, dwThreadId=0x12a0)) returned 1 [0289.945] CloseHandle (hObject=0x2d0) returned 1 [0289.945] GetFileType (hFile=0x708) returned 0x3 [0289.946] CloseHandle (hObject=0x3ec) returned 1 [0289.946] ReadFile (in: hFile=0x708, lpBuffer=0x1f438e30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f438e30, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0290.529] GetCurrentProcess () returned 0xffffffff [0290.529] GetCurrentProcess () returned 0xffffffff [0290.529] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x704, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0290.533] CloseHandle (hObject=0x3ec) returned 1 [0290.534] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0290.534] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0290.534] GetCurrentProcess () returned 0xffffffff [0290.534] GetCurrentProcess () returned 0xffffffff [0290.534] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x710) returned 1 [0290.534] CloseHandle (hObject=0x3ec) returned 1 [0290.534] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0290.535] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0290.535] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0290.535] CoTaskMemFree (pv=0xed7c70) [0290.535] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop PDVFSService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f43c0e4 | out: lpCommandLine="\"net.exe\" stop PDVFSService /y", lpProcessInformation=0x1f43c0e4*(hProcess=0x70c, hThread=0x3ec, dwProcessId=0x10d4, dwThreadId=0x1174)) returned 1 [0290.570] CloseHandle (hObject=0x2d0) returned 1 [0290.571] GetFileType (hFile=0x710) returned 0x3 [0290.571] CloseHandle (hObject=0x3ec) returned 1 [0290.571] ReadFile (in: hFile=0x710, lpBuffer=0x1f43c5b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f43c5b8, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0291.073] GetCurrentProcess () returned 0xffffffff [0291.073] GetCurrentProcess () returned 0xffffffff [0291.073] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x70c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0291.076] CloseHandle (hObject=0x3ec) returned 1 [0291.081] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0291.082] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0291.082] GetCurrentProcess () returned 0xffffffff [0291.082] GetCurrentProcess () returned 0xffffffff [0291.082] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x718) returned 1 [0291.082] CloseHandle (hObject=0x3ec) returned 1 [0291.082] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.082] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0291.082] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0291.082] CoTaskMemFree (pv=0xed7c70) [0291.082] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecVSSProvider /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f43f87c | out: lpCommandLine="\"net.exe\" stop BackupExecVSSProvider /y", lpProcessInformation=0x1f43f87c*(hProcess=0x714, hThread=0x3ec, dwProcessId=0xf3c, dwThreadId=0xfac)) returned 1 [0291.093] CloseHandle (hObject=0x2d0) returned 1 [0291.093] GetFileType (hFile=0x718) returned 0x3 [0291.094] CloseHandle (hObject=0x3ec) returned 1 [0291.094] ReadFile (in: hFile=0x718, lpBuffer=0x1f43fd60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f43fd60, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0291.542] GetCurrentProcess () returned 0xffffffff [0291.542] GetCurrentProcess () returned 0xffffffff [0291.542] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x714, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0291.545] CloseHandle (hObject=0x3ec) returned 1 [0291.545] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0291.545] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0291.545] GetCurrentProcess () returned 0xffffffff [0291.545] GetCurrentProcess () returned 0xffffffff [0291.545] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x720) returned 1 [0291.545] CloseHandle (hObject=0x3ec) returned 1 [0291.545] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.545] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0291.545] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0291.545] CoTaskMemFree (pv=0xed7c70) [0291.546] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecAgentAccelerator /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eac8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f44302c | out: lpCommandLine="\"net.exe\" stop BackupExecAgentAccelerator /y", lpProcessInformation=0x1f44302c*(hProcess=0x71c, hThread=0x3ec, dwProcessId=0xba0, dwThreadId=0xff0)) returned 1 [0291.557] CloseHandle (hObject=0x2d0) returned 1 [0291.557] GetFileType (hFile=0x720) returned 0x3 [0291.558] CloseHandle (hObject=0x3ec) returned 1 [0291.558] ReadFile (in: hFile=0x720, lpBuffer=0x1f44351c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f44351c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0291.914] GetCurrentProcess () returned 0xffffffff [0291.914] GetCurrentProcess () returned 0xffffffff [0291.914] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x71c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0291.916] CloseHandle (hObject=0x3ec) returned 1 [0291.916] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0291.916] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0291.917] GetCurrentProcess () returned 0xffffffff [0291.917] GetCurrentProcess () returned 0xffffffff [0291.917] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x728) returned 1 [0291.917] CloseHandle (hObject=0x3ec) returned 1 [0291.917] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.917] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0291.917] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0291.917] CoTaskMemFree (pv=0xed7c70) [0291.917] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecAgentBrowser /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f4467e0 | out: lpCommandLine="\"net.exe\" stop BackupExecAgentBrowser /y", lpProcessInformation=0x1f4467e0*(hProcess=0x724, hThread=0x3ec, dwProcessId=0x1224, dwThreadId=0xd94)) returned 1 [0291.928] CloseHandle (hObject=0x2d0) returned 1 [0291.928] GetFileType (hFile=0x728) returned 0x3 [0291.928] CloseHandle (hObject=0x3ec) returned 1 [0291.928] ReadFile (in: hFile=0x728, lpBuffer=0x1f446cc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f446cc8, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0292.289] GetCurrentProcess () returned 0xffffffff [0292.289] GetCurrentProcess () returned 0xffffffff [0292.289] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x724, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0292.291] CloseHandle (hObject=0x3ec) returned 1 [0292.291] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0292.291] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0292.292] GetCurrentProcess () returned 0xffffffff [0292.292] GetCurrentProcess () returned 0xffffffff [0292.292] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x730) returned 1 [0292.292] CloseHandle (hObject=0x3ec) returned 1 [0292.292] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0292.292] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0292.292] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0292.292] CoTaskMemFree (pv=0xed7c70) [0292.292] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecDiveciMediaService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eac4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f449f98 | out: lpCommandLine="\"net.exe\" stop BackupExecDiveciMediaService /y", lpProcessInformation=0x1f449f98*(hProcess=0x72c, hThread=0x3ec, dwProcessId=0x114c, dwThreadId=0x3b8)) returned 1 [0292.304] CloseHandle (hObject=0x2d0) returned 1 [0292.304] GetFileType (hFile=0x730) returned 0x3 [0292.304] CloseHandle (hObject=0x3ec) returned 1 [0292.304] ReadFile (in: hFile=0x730, lpBuffer=0x1f44a48c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f44a48c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0292.822] GetCurrentProcess () returned 0xffffffff [0292.822] GetCurrentProcess () returned 0xffffffff [0292.822] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0292.824] CloseHandle (hObject=0x3ec) returned 1 [0292.825] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0292.825] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0292.825] GetCurrentProcess () returned 0xffffffff [0292.825] GetCurrentProcess () returned 0xffffffff [0292.825] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x738) returned 1 [0292.825] CloseHandle (hObject=0x3ec) returned 1 [0292.825] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0292.825] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0292.826] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0292.826] CoTaskMemFree (pv=0xed7c70) [0292.826] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecJobEngine /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f44d74c | out: lpCommandLine="\"net.exe\" stop BackupExecJobEngine /y", lpProcessInformation=0x1f44d74c*(hProcess=0x734, hThread=0x3ec, dwProcessId=0xd2c, dwThreadId=0xf90)) returned 1 [0292.838] CloseHandle (hObject=0x2d0) returned 1 [0292.838] GetFileType (hFile=0x738) returned 0x3 [0292.839] CloseHandle (hObject=0x3ec) returned 1 [0292.839] ReadFile (in: hFile=0x738, lpBuffer=0x1f44dc2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f44dc2c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0293.202] GetCurrentProcess () returned 0xffffffff [0293.202] GetCurrentProcess () returned 0xffffffff [0293.202] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x734, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0293.205] CloseHandle (hObject=0x3ec) returned 1 [0293.210] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0293.210] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0293.210] GetCurrentProcess () returned 0xffffffff [0293.210] GetCurrentProcess () returned 0xffffffff [0293.210] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x740) returned 1 [0293.210] CloseHandle (hObject=0x3ec) returned 1 [0293.210] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0293.210] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0293.210] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0293.210] CoTaskMemFree (pv=0xed7c70) [0293.210] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecManagementService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eac4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f450efc | out: lpCommandLine="\"net.exe\" stop BackupExecManagementService /y", lpProcessInformation=0x1f450efc*(hProcess=0x73c, hThread=0x3ec, dwProcessId=0xf94, dwThreadId=0x132c)) returned 1 [0293.222] CloseHandle (hObject=0x2d0) returned 1 [0293.222] GetFileType (hFile=0x740) returned 0x3 [0293.223] CloseHandle (hObject=0x3ec) returned 1 [0293.223] ReadFile (in: hFile=0x740, lpBuffer=0x1f4513ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4513ec, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0293.764] GetCurrentProcess () returned 0xffffffff [0293.764] GetCurrentProcess () returned 0xffffffff [0293.764] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0293.766] CloseHandle (hObject=0x3ec) returned 1 [0293.766] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0293.766] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0293.767] GetCurrentProcess () returned 0xffffffff [0293.767] GetCurrentProcess () returned 0xffffffff [0293.767] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x748) returned 1 [0293.767] CloseHandle (hObject=0x3ec) returned 1 [0293.767] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0293.767] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0293.767] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0293.767] CoTaskMemFree (pv=0xed7c70) [0293.767] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BackupExecRPCService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f4546ac | out: lpCommandLine="\"net.exe\" stop BackupExecRPCService /y", lpProcessInformation=0x1f4546ac*(hProcess=0x744, hThread=0x3ec, dwProcessId=0x136c, dwThreadId=0x11d0)) returned 1 [0293.778] CloseHandle (hObject=0x2d0) returned 1 [0293.778] GetFileType (hFile=0x748) returned 0x3 [0293.778] CloseHandle (hObject=0x3ec) returned 1 [0293.778] ReadFile (in: hFile=0x748, lpBuffer=0x1f454b90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f454b90, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0294.149] GetCurrentProcess () returned 0xffffffff [0294.149] GetCurrentProcess () returned 0xffffffff [0294.149] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0294.151] CloseHandle (hObject=0x3ec) returned 1 [0294.151] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0294.152] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0294.152] GetCurrentProcess () returned 0xffffffff [0294.152] GetCurrentProcess () returned 0xffffffff [0294.152] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x750) returned 1 [0294.152] CloseHandle (hObject=0x3ec) returned 1 [0294.152] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0294.152] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0294.152] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0294.152] CoTaskMemFree (pv=0xed7c70) [0294.152] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop AcrSch2Svc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f457e44 | out: lpCommandLine="\"net.exe\" stop AcrSch2Svc /y", lpProcessInformation=0x1f457e44*(hProcess=0x74c, hThread=0x3ec, dwProcessId=0xa28, dwThreadId=0x1130)) returned 1 [0294.164] CloseHandle (hObject=0x2d0) returned 1 [0294.165] GetFileType (hFile=0x750) returned 0x3 [0294.165] CloseHandle (hObject=0x3ec) returned 1 [0294.165] ReadFile (in: hFile=0x750, lpBuffer=0x1f458318, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f458318, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0294.551] GetCurrentProcess () returned 0xffffffff [0294.551] GetCurrentProcess () returned 0xffffffff [0294.551] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0294.554] CloseHandle (hObject=0x3ec) returned 1 [0294.554] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0294.554] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0294.554] GetCurrentProcess () returned 0xffffffff [0294.554] GetCurrentProcess () returned 0xffffffff [0294.554] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x758) returned 1 [0294.554] CloseHandle (hObject=0x3ec) returned 1 [0294.554] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0294.554] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0294.554] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0294.554] CoTaskMemFree (pv=0xed7c70) [0294.554] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop AcronisAgent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f45b5cc | out: lpCommandLine="\"net.exe\" stop AcronisAgent /y", lpProcessInformation=0x1f45b5cc*(hProcess=0x754, hThread=0x3ec, dwProcessId=0xc1c, dwThreadId=0x1104)) returned 1 [0294.565] CloseHandle (hObject=0x2d0) returned 1 [0294.565] GetFileType (hFile=0x758) returned 0x3 [0294.565] CloseHandle (hObject=0x3ec) returned 1 [0294.565] ReadFile (in: hFile=0x758, lpBuffer=0x1f45baa0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f45baa0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0295.018] GetCurrentProcess () returned 0xffffffff [0295.018] GetCurrentProcess () returned 0xffffffff [0295.018] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x754, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0295.021] CloseHandle (hObject=0x3ec) returned 1 [0295.021] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0295.021] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0295.021] GetCurrentProcess () returned 0xffffffff [0295.021] GetCurrentProcess () returned 0xffffffff [0295.021] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x760) returned 1 [0295.021] CloseHandle (hObject=0x3ec) returned 1 [0295.021] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0295.021] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0295.022] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0295.022] CoTaskMemFree (pv=0xed7c70) [0295.022] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop CASAD2DWebSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f45ed54 | out: lpCommandLine="\"net.exe\" stop CASAD2DWebSvc /y", lpProcessInformation=0x1f45ed54*(hProcess=0x75c, hThread=0x3ec, dwProcessId=0xfe8, dwThreadId=0x10a0)) returned 1 [0295.033] CloseHandle (hObject=0x2d0) returned 1 [0295.033] GetFileType (hFile=0x760) returned 0x3 [0295.034] CloseHandle (hObject=0x3ec) returned 1 [0295.034] ReadFile (in: hFile=0x760, lpBuffer=0x1f45f228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f45f228, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0295.447] GetCurrentProcess () returned 0xffffffff [0295.447] GetCurrentProcess () returned 0xffffffff [0295.447] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x75c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0295.449] CloseHandle (hObject=0x3ec) returned 1 [0295.450] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0295.450] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0295.450] GetCurrentProcess () returned 0xffffffff [0295.450] GetCurrentProcess () returned 0xffffffff [0295.450] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x768) returned 1 [0295.450] CloseHandle (hObject=0x3ec) returned 1 [0295.450] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0295.450] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0295.450] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0295.450] CoTaskMemFree (pv=0xed7c70) [0295.450] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop CAARCUpdateSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f4624dc | out: lpCommandLine="\"net.exe\" stop CAARCUpdateSvc /y", lpProcessInformation=0x1f4624dc*(hProcess=0x764, hThread=0x3ec, dwProcessId=0xd4c, dwThreadId=0x6dc)) returned 1 [0295.463] CloseHandle (hObject=0x2d0) returned 1 [0295.463] GetFileType (hFile=0x768) returned 0x3 [0295.463] CloseHandle (hObject=0x3ec) returned 1 [0295.463] ReadFile (in: hFile=0x768, lpBuffer=0x1f4629b4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4629b4, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0295.989] GetCurrentProcess () returned 0xffffffff [0295.989] GetCurrentProcess () returned 0xffffffff [0295.989] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x764, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0295.993] CloseHandle (hObject=0x3ec) returned 1 [0295.998] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0295.998] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0295.998] GetCurrentProcess () returned 0xffffffff [0295.998] GetCurrentProcess () returned 0xffffffff [0295.998] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x770) returned 1 [0295.998] CloseHandle (hObject=0x3ec) returned 1 [0295.998] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0295.998] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0295.998] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0295.999] CoTaskMemFree (pv=0xed7c70) [0295.999] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop sophos /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f465c68 | out: lpCommandLine="\"net.exe\" stop sophos /y", lpProcessInformation=0x1f465c68*(hProcess=0x76c, hThread=0x3ec, dwProcessId=0xa70, dwThreadId=0x10b0)) returned 1 [0296.011] CloseHandle (hObject=0x2d0) returned 1 [0296.011] GetFileType (hFile=0x770) returned 0x3 [0296.012] CloseHandle (hObject=0x3ec) returned 1 [0296.012] ReadFile (in: hFile=0x770, lpBuffer=0x1f46613c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f46613c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0296.391] GetCurrentProcess () returned 0xffffffff [0296.391] GetCurrentProcess () returned 0xffffffff [0296.391] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x76c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0296.394] CloseHandle (hObject=0x3ec) returned 1 [0296.404] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0296.404] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0296.404] GetCurrentProcess () returned 0xffffffff [0296.404] GetCurrentProcess () returned 0xffffffff [0296.404] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x778) returned 1 [0296.404] CloseHandle (hObject=0x3ec) returned 1 [0296.404] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0296.404] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0296.404] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0296.404] CoTaskMemFree (pv=0xed7c70) [0296.404] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLTELEMETRY start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eac8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f469458 | out: lpCommandLine="\"sc.exe\" config SQLTELEMETRY start= disabled", lpProcessInformation=0x1f469458*(hProcess=0x774, hThread=0x3ec, dwProcessId=0x109c, dwThreadId=0x10fc)) returned 1 [0296.545] CloseHandle (hObject=0x2d0) returned 1 [0296.545] GetFileType (hFile=0x778) returned 0x3 [0296.545] CloseHandle (hObject=0x3ec) returned 1 [0296.545] ReadFile (in: hFile=0x778, lpBuffer=0x1f469948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f469948*, lpNumberOfBytesRead=0x1f16ec70*=0x62, lpOverlapped=0x0) returned 1 [0297.024] ReadFile (in: hFile=0x778, lpBuffer=0x1f469948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f469948, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0297.025] GetCurrentProcess () returned 0xffffffff [0297.025] GetCurrentProcess () returned 0xffffffff [0297.025] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x774, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0297.025] CloseHandle (hObject=0x3ec) returned 1 [0297.025] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0297.025] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0297.025] GetCurrentProcess () returned 0xffffffff [0297.025] GetCurrentProcess () returned 0xffffffff [0297.025] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x780) returned 1 [0297.025] CloseHandle (hObject=0x3ec) returned 1 [0297.025] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0297.025] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0297.026] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0297.026] CoTaskMemFree (pv=0xed7c70) [0297.026] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eab8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f46d7d0 | out: lpCommandLine="\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled", lpProcessInformation=0x1f46d7d0*(hProcess=0x77c, hThread=0x3ec, dwProcessId=0x13cc, dwThreadId=0x13e4)) returned 1 [0297.039] CloseHandle (hObject=0x2d0) returned 1 [0297.039] GetFileType (hFile=0x780) returned 0x3 [0297.040] CloseHandle (hObject=0x3ec) returned 1 [0297.040] ReadFile (in: hFile=0x780, lpBuffer=0x1f46dccc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f46dccc*, lpNumberOfBytesRead=0x1f16ec70*=0x62, lpOverlapped=0x0) returned 1 [0297.267] ReadFile (in: hFile=0x780, lpBuffer=0x1f46dccc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f46dccc, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0297.272] GetCurrentProcess () returned 0xffffffff [0297.272] GetCurrentProcess () returned 0xffffffff [0297.272] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x77c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0297.274] CloseHandle (hObject=0x3ec) returned 1 [0297.274] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0297.275] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0297.275] GetCurrentProcess () returned 0xffffffff [0297.275] GetCurrentProcess () returned 0xffffffff [0297.275] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x788) returned 1 [0297.275] CloseHandle (hObject=0x3ec) returned 1 [0297.275] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0297.275] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0297.275] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0297.275] CoTaskMemFree (pv=0xed7c70) [0297.275] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLWriter start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eacc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f471134 | out: lpCommandLine="\"sc.exe\" config SQLWriter start= disabled", lpProcessInformation=0x1f471134*(hProcess=0x784, hThread=0x3ec, dwProcessId=0x10a4, dwThreadId=0x10e0)) returned 1 [0297.288] CloseHandle (hObject=0x2d0) returned 1 [0297.288] GetFileType (hFile=0x788) returned 0x3 [0297.288] CloseHandle (hObject=0x3ec) returned 1 [0297.288] ReadFile (in: hFile=0x788, lpBuffer=0x1f47161c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f47161c*, lpNumberOfBytesRead=0x1f16ec70*=0x62, lpOverlapped=0x0) returned 1 [0297.520] ReadFile (in: hFile=0x788, lpBuffer=0x1f47161c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f47161c, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0297.525] GetCurrentProcess () returned 0xffffffff [0297.525] GetCurrentProcess () returned 0xffffffff [0297.525] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x784, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0297.527] CloseHandle (hObject=0x3ec) returned 1 [0297.527] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0297.528] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0297.528] GetCurrentProcess () returned 0xffffffff [0297.528] GetCurrentProcess () returned 0xffffffff [0297.528] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x790) returned 1 [0297.528] CloseHandle (hObject=0x3ec) returned 1 [0297.528] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0297.528] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0297.528] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0297.528] CoTaskMemFree (pv=0xed7c70) [0297.528] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SstpSvc start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f474a80 | out: lpCommandLine="\"sc.exe\" config SstpSvc start= disabled", lpProcessInformation=0x1f474a80*(hProcess=0x78c, hThread=0x3ec, dwProcessId=0x125c, dwThreadId=0x6ec)) returned 1 [0297.548] CloseHandle (hObject=0x2d0) returned 1 [0297.548] GetFileType (hFile=0x790) returned 0x3 [0297.549] CloseHandle (hObject=0x3ec) returned 1 [0297.549] ReadFile (in: hFile=0x790, lpBuffer=0x1f474f64, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f474f64*, lpNumberOfBytesRead=0x1f16ec70*=0x22, lpOverlapped=0x0) returned 1 [0297.889] ReadFile (in: hFile=0x790, lpBuffer=0x1f474f64, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f474f64, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0297.895] GetCurrentProcess () returned 0xffffffff [0297.895] GetCurrentProcess () returned 0xffffffff [0297.895] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x78c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0297.898] CloseHandle (hObject=0x3ec) returned 1 [0297.909] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0297.909] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0297.909] GetCurrentProcess () returned 0xffffffff [0297.909] GetCurrentProcess () returned 0xffffffff [0297.909] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x798) returned 1 [0297.909] CloseHandle (hObject=0x3ec) returned 1 [0297.909] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0297.910] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0297.910] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0297.910] CoTaskMemFree (pv=0xed7c70) [0297.910] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM mspub.exe /F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eae0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f478328 | out: lpCommandLine="\"taskkill.exe\" /IM mspub.exe /F", lpProcessInformation=0x1f478328*(hProcess=0x794, hThread=0x3ec, dwProcessId=0x648, dwThreadId=0x1ec)) returned 1 [0298.125] CloseHandle (hObject=0x2d0) returned 1 [0298.125] GetFileType (hFile=0x798) returned 0x3 [0298.125] CloseHandle (hObject=0x3ec) returned 1 [0298.125] ReadFile (in: hFile=0x798, lpBuffer=0x1f4787fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4787fc, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0301.097] GetCurrentProcess () returned 0xffffffff [0301.097] GetCurrentProcess () returned 0xffffffff [0301.097] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x794, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0301.103] CloseHandle (hObject=0x3ec) returned 1 [0301.104] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0301.104] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0301.104] GetCurrentProcess () returned 0xffffffff [0301.104] GetCurrentProcess () returned 0xffffffff [0301.104] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7a0) returned 1 [0301.104] CloseHandle (hObject=0x3ec) returned 1 [0301.104] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0301.104] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0301.104] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0301.104] CoTaskMemFree (pv=0xed7c70) [0301.104] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM mydesktopqos.exe /F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ead4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f47babc | out: lpCommandLine="\"taskkill.exe\" /IM mydesktopqos.exe /F", lpProcessInformation=0x1f47babc*(hProcess=0x79c, hThread=0x3ec, dwProcessId=0xfdc, dwThreadId=0xd7c)) returned 1 [0301.116] CloseHandle (hObject=0x2d0) returned 1 [0301.116] GetFileType (hFile=0x7a0) returned 0x3 [0301.116] CloseHandle (hObject=0x3ec) returned 1 [0301.116] ReadFile (in: hFile=0x7a0, lpBuffer=0x1f47bfa0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f47bfa0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0301.835] GetCurrentProcess () returned 0xffffffff [0301.835] GetCurrentProcess () returned 0xffffffff [0301.835] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x79c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0301.842] CloseHandle (hObject=0x3ec) returned 1 [0301.842] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0301.847] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0301.850] GetCurrentProcess () returned 0xffffffff [0301.850] GetCurrentProcess () returned 0xffffffff [0301.850] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7a8) returned 1 [0301.850] CloseHandle (hObject=0x3ec) returned 1 [0301.850] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0301.850] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0301.850] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0301.850] CoTaskMemFree (pv=0xed7c70) [0301.850] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM mydesktopservice.exe /F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eacc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f47f268 | out: lpCommandLine="\"taskkill.exe\" /IM mydesktopservice.exe /F", lpProcessInformation=0x1f47f268*(hProcess=0x7a4, hThread=0x3ec, dwProcessId=0xf58, dwThreadId=0x1304)) returned 1 [0301.863] CloseHandle (hObject=0x2d0) returned 1 [0301.863] GetFileType (hFile=0x7a8) returned 0x3 [0301.864] CloseHandle (hObject=0x3ec) returned 1 [0301.864] ReadFile (in: hFile=0x7a8, lpBuffer=0x1f47f754, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f47f754, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0302.440] GetCurrentProcess () returned 0xffffffff [0302.440] GetCurrentProcess () returned 0xffffffff [0302.440] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0302.447] CloseHandle (hObject=0x3ec) returned 1 [0302.517] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0302.517] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0302.517] GetCurrentProcess () returned 0xffffffff [0302.517] GetCurrentProcess () returned 0xffffffff [0302.517] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7b0) returned 1 [0302.517] CloseHandle (hObject=0x3ec) returned 1 [0302.517] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0302.518] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0302.518] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0302.518] CoTaskMemFree (pv=0xed7c70) [0302.518] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" Delete Shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16eacc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f482a8c | out: lpCommandLine="\"vssadmin.exe\" Delete Shadows /all /quiet", lpProcessInformation=0x1f482a8c*(hProcess=0x7ac, hThread=0x3ec, dwProcessId=0x117c, dwThreadId=0xfd4)) returned 1 [0302.684] CloseHandle (hObject=0x2d0) returned 1 [0302.684] GetFileType (hFile=0x7b0) returned 0x3 [0302.684] CloseHandle (hObject=0x3ec) returned 1 [0302.684] ReadFile (in: hFile=0x7b0, lpBuffer=0x1f482f74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f482f74*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0303.023] ReadFile (in: hFile=0x7b0, lpBuffer=0x1f482f74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f482f74*, lpNumberOfBytesRead=0x1f16ec70*=0x93, lpOverlapped=0x0) returned 1 [0303.058] ReadFile (in: hFile=0x7b0, lpBuffer=0x1f482f74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f482f74, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0303.068] GetCurrentProcess () returned 0xffffffff [0303.068] GetCurrentProcess () returned 0xffffffff [0303.068] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0303.073] CloseHandle (hObject=0x3ec) returned 1 [0303.074] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0303.074] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0303.074] GetCurrentProcess () returned 0xffffffff [0303.074] GetCurrentProcess () returned 0xffffffff [0303.074] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7b8) returned 1 [0303.074] CloseHandle (hObject=0x3ec) returned 1 [0303.074] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0303.074] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0303.074] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0303.074] CoTaskMemFree (pv=0xed7c70) [0303.074] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea9c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f4866d8 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=401MB", lpProcessInformation=0x1f4866d8*(hProcess=0x7b4, hThread=0x3ec, dwProcessId=0x12e0, dwThreadId=0x11cc)) returned 1 [0303.088] CloseHandle (hObject=0x2d0) returned 1 [0303.088] GetFileType (hFile=0x7b8) returned 0x3 [0303.088] CloseHandle (hObject=0x3ec) returned 1 [0303.088] ReadFile (in: hFile=0x7b8, lpBuffer=0x1f486bf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f486bf0*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0303.367] ReadFile (in: hFile=0x7b8, lpBuffer=0x1f486bf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f486bf0*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0303.403] ReadFile (in: hFile=0x7b8, lpBuffer=0x1f486bf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f486bf0*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0303.403] ReadFile (in: hFile=0x7b8, lpBuffer=0x1f486bf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f486bf0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0303.413] GetCurrentProcess () returned 0xffffffff [0303.413] GetCurrentProcess () returned 0xffffffff [0303.413] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0303.418] CloseHandle (hObject=0x3ec) returned 1 [0303.418] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0303.418] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0303.419] GetCurrentProcess () returned 0xffffffff [0303.419] GetCurrentProcess () returned 0xffffffff [0303.419] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7c0) returned 1 [0303.419] CloseHandle (hObject=0x3ec) returned 1 [0303.419] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0303.419] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0303.419] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0303.419] CoTaskMemFree (pv=0xed7c70) [0303.419] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f48a510 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=unbounded", lpProcessInformation=0x1f48a510*(hProcess=0x7bc, hThread=0x3ec, dwProcessId=0x1020, dwThreadId=0xf44)) returned 1 [0303.430] CloseHandle (hObject=0x2d0) returned 1 [0303.430] GetFileType (hFile=0x7c0) returned 0x3 [0303.431] CloseHandle (hObject=0x3ec) returned 1 [0303.431] ReadFile (in: hFile=0x7c0, lpBuffer=0x1f48aa30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48aa30*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0303.799] ReadFile (in: hFile=0x7c0, lpBuffer=0x1f48aa30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48aa30*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0303.826] ReadFile (in: hFile=0x7c0, lpBuffer=0x1f48aa30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48aa30*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0303.826] ReadFile (in: hFile=0x7c0, lpBuffer=0x1f48aa30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48aa30, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0303.847] GetCurrentProcess () returned 0xffffffff [0303.847] GetCurrentProcess () returned 0xffffffff [0303.847] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0303.853] CloseHandle (hObject=0x3ec) returned 1 [0303.853] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0303.853] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0303.853] GetCurrentProcess () returned 0xffffffff [0303.853] GetCurrentProcess () returned 0xffffffff [0303.853] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7c8) returned 1 [0303.853] CloseHandle (hObject=0x3ec) returned 1 [0303.853] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0303.853] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0303.853] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0303.853] CoTaskMemFree (pv=0xed7c70) [0303.854] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea9c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f48e348 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=401MB", lpProcessInformation=0x1f48e348*(hProcess=0x7c4, hThread=0x3ec, dwProcessId=0x121c, dwThreadId=0x11f8)) returned 1 [0303.866] CloseHandle (hObject=0x2d0) returned 1 [0303.866] GetFileType (hFile=0x7c8) returned 0x3 [0303.866] CloseHandle (hObject=0x3ec) returned 1 [0303.867] ReadFile (in: hFile=0x7c8, lpBuffer=0x1f48e860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48e860*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0304.186] ReadFile (in: hFile=0x7c8, lpBuffer=0x1f48e860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48e860*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0304.218] ReadFile (in: hFile=0x7c8, lpBuffer=0x1f48e860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48e860*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0304.219] ReadFile (in: hFile=0x7c8, lpBuffer=0x1f48e860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f48e860, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0304.239] GetCurrentProcess () returned 0xffffffff [0304.239] GetCurrentProcess () returned 0xffffffff [0304.239] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0304.245] CloseHandle (hObject=0x3ec) returned 1 [0304.245] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0304.246] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0304.246] GetCurrentProcess () returned 0xffffffff [0304.246] GetCurrentProcess () returned 0xffffffff [0304.246] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7d0) returned 1 [0304.246] CloseHandle (hObject=0x3ec) returned 1 [0304.246] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0304.246] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0304.246] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0304.246] CoTaskMemFree (pv=0xed7c70) [0304.246] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f492180 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=unbounded", lpProcessInformation=0x1f492180*(hProcess=0x7cc, hThread=0x3ec, dwProcessId=0x11b8, dwThreadId=0x1320)) returned 1 [0304.259] CloseHandle (hObject=0x2d0) returned 1 [0304.259] GetFileType (hFile=0x7d0) returned 0x3 [0304.260] CloseHandle (hObject=0x3ec) returned 1 [0304.260] ReadFile (in: hFile=0x7d0, lpBuffer=0x1f4926a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4926a0*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0304.561] ReadFile (in: hFile=0x7d0, lpBuffer=0x1f4926a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4926a0*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0304.674] ReadFile (in: hFile=0x7d0, lpBuffer=0x1f4926a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4926a0*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0304.675] ReadFile (in: hFile=0x7d0, lpBuffer=0x1f4926a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4926a0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0304.700] GetCurrentProcess () returned 0xffffffff [0304.700] GetCurrentProcess () returned 0xffffffff [0304.700] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0304.705] CloseHandle (hObject=0x3ec) returned 1 [0304.706] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0304.706] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0304.706] GetCurrentProcess () returned 0xffffffff [0304.706] GetCurrentProcess () returned 0xffffffff [0304.706] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7d8) returned 1 [0304.706] CloseHandle (hObject=0x3ec) returned 1 [0304.706] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0304.706] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0304.706] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0304.706] CoTaskMemFree (pv=0xed7c70) [0304.706] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea9c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f495fb8 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=401MB", lpProcessInformation=0x1f495fb8*(hProcess=0x7d4, hThread=0x3ec, dwProcessId=0x1110, dwThreadId=0x110c)) returned 1 [0304.720] CloseHandle (hObject=0x2d0) returned 1 [0304.720] GetFileType (hFile=0x7d8) returned 0x3 [0304.720] CloseHandle (hObject=0x3ec) returned 1 [0304.720] ReadFile (in: hFile=0x7d8, lpBuffer=0x1f4964d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4964d0*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0305.013] ReadFile (in: hFile=0x7d8, lpBuffer=0x1f4964d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4964d0*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0305.043] ReadFile (in: hFile=0x7d8, lpBuffer=0x1f4964d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4964d0*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0305.043] ReadFile (in: hFile=0x7d8, lpBuffer=0x1f4964d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f4964d0, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0305.053] GetCurrentProcess () returned 0xffffffff [0305.053] GetCurrentProcess () returned 0xffffffff [0305.053] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0305.058] CloseHandle (hObject=0x3ec) returned 1 [0305.059] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0305.059] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0305.059] GetCurrentProcess () returned 0xffffffff [0305.059] GetCurrentProcess () returned 0xffffffff [0305.059] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7e0) returned 1 [0305.059] CloseHandle (hObject=0x3ec) returned 1 [0305.059] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0305.059] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0305.059] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0305.059] CoTaskMemFree (pv=0xed7c70) [0305.060] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f499df0 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=unbounded", lpProcessInformation=0x1f499df0*(hProcess=0x7dc, hThread=0x3ec, dwProcessId=0x1158, dwThreadId=0x1200)) returned 1 [0305.072] CloseHandle (hObject=0x2d0) returned 1 [0305.072] GetFileType (hFile=0x7e0) returned 0x3 [0305.073] CloseHandle (hObject=0x3ec) returned 1 [0305.073] ReadFile (in: hFile=0x7e0, lpBuffer=0x1f49a310, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f49a310*, lpNumberOfBytesRead=0x1f16ec70*=0x77, lpOverlapped=0x0) returned 1 [0305.417] ReadFile (in: hFile=0x7e0, lpBuffer=0x1f49a310, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f49a310*, lpNumberOfBytesRead=0x1f16ec70*=0x7, lpOverlapped=0x0) returned 1 [0305.445] ReadFile (in: hFile=0x7e0, lpBuffer=0x1f49a310, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f49a310*, lpNumberOfBytesRead=0x1f16ec70*=0x80, lpOverlapped=0x0) returned 1 [0305.445] ReadFile (in: hFile=0x7e0, lpBuffer=0x1f49a310, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0 | out: lpBuffer=0x1f49a310, lpNumberOfBytesRead=0x1f16ec70*=0x0, lpOverlapped=0x0) returned 0 [0305.460] GetCurrentProcess () returned 0xffffffff [0305.461] GetCurrentProcess () returned 0xffffffff [0305.461] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x7dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16ec58, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16ec58*=0x3ec) returned 1 [0305.466] CloseHandle (hObject=0x3ec) returned 1 [0305.466] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0305.466] CreatePipe (in: hReadPipe=0x1f16eb98, hWritePipe=0x1f16eb94, lpPipeAttributes=0x1f16eb18, nSize=0x0 | out: hReadPipe=0x1f16eb98*=0x3ec, hWritePipe=0x1f16eb94*=0x2d0) returned 1 [0305.466] GetCurrentProcess () returned 0xffffffff [0305.466] GetCurrentProcess () returned 0xffffffff [0305.466] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1f16eb9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1f16eb9c*=0x7e8) returned 1 [0305.467] CloseHandle (hObject=0x3ec) returned 1 [0305.467] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0305.467] CoTaskMemAlloc (cb=0x20e) returned 0xed7c70 [0305.467] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xed7c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0305.467] CoTaskMemFree (pv=0xed7c70) [0305.467] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=f: /on=f: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1f16ea9c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x2d0, hStdError=0x94), lpProcessInformation=0x1f49dc28 | out: lpCommandLine="\"vssadmin.exe\" resize shadowstorage /for=f: /on=f: /maxsize=401MB", lpProcessInformation=0x1f49dc28*(hProcess=0x7e4, hThread=0x3ec, dwProcessId=0x1240, dwThreadId=0x4f4)) returned 1 [0305.479] CloseHandle (hObject=0x2d0) returned 1 [0305.479] GetFileType (hFile=0x7e8) returned 0x3 [0305.480] CloseHandle (hObject=0x3ec) returned 1 [0305.480] ReadFile (hFile=0x7e8, lpBuffer=0x1f49e140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1f16ec70, lpOverlapped=0x0) Thread: id = 15 os_tid = 0xd78 Thread: id = 16 os_tid = 0xbb0 Thread: id = 17 os_tid = 0x888 [0184.655] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0184.655] RoInitialize () returned 0x1 [0184.655] RoUninitialize () returned 0x0 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3ff04000" os_pid = "0x1204" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x11f8 Thread: id = 5 os_tid = 0x122c Thread: id = 6 os_tid = 0x124c Thread: id = 7 os_tid = 0x1250 Thread: id = 8 os_tid = 0x1254 Process: id = "4" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x94ee000" os_pid = "0x13d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop avpsus /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 18 os_tid = 0x1388 Thread: id = 22 os_tid = 0x10c8 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x47623000" os_pid = "0x13dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x13d4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 19 os_tid = 0x13e0 Thread: id = 20 os_tid = 0x13c4 Thread: id = 21 os_tid = 0x13d8 Process: id = "6" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x65220000" os_pid = "0x10bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x13d4" cmd_line = "C:\\WINDOWS\\system32\\net1 stop avpsus /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0x1104 [0266.553] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0266.553] __set_app_type (_Type=0x1) [0266.553] __p__fmode () returned 0x776f3c14 [0266.553] __p__commode () returned 0x776f49ec [0266.553] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0266.553] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0266.553] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0266.554] GetConsoleOutputCP () returned 0x1b5 [0266.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0266.559] SetThreadUILanguage (LangId=0x0) returned 0x2c30409 [0266.588] sprintf_s (in: _DstBuf=0x2e7fd54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0266.588] setlocale (category=0, locale=".437") returned="English_United States.437" [0266.591] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0266.591] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0266.591] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop avpsus /y" [0266.591] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e7fafc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0266.591] RtlAllocateHeap (HeapHandle=0x31e0000, Flags=0x0, Size=0x60) returned 0x31e9098 [0266.591] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0266.592] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2e7faf8 | out: Buffer=0x2e7faf8*=0x31e7ce0) returned 0x0 [0266.592] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2e7faf4 | out: Buffer=0x2e7faf4*=0x31e7cf8) returned 0x0 [0266.592] __iob_func () returned 0x776f2608 [0266.592] _fileno (_File=0x776f2608) returned 0 [0266.592] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0266.592] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0266.592] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0266.592] _wcsicmp (_String1="config", _String2="stop") returned -16 [0266.592] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0266.592] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0266.592] _wcsicmp (_String1="file", _String2="stop") returned -13 [0266.592] _wcsicmp (_String1="files", _String2="stop") returned -13 [0266.592] _wcsicmp (_String1="group", _String2="stop") returned -12 [0266.592] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0266.593] _wcsicmp (_String1="help", _String2="stop") returned -11 [0266.593] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0266.593] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0266.593] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0266.593] _wcsicmp (_String1="session", _String2="stop") returned -15 [0266.593] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0266.593] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0266.593] _wcsicmp (_String1="share", _String2="stop") returned -12 [0266.593] _wcsicmp (_String1="start", _String2="stop") returned -14 [0266.593] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0266.593] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0266.593] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0266.593] _wcsicmp (_String1="accounts", _String2="avpsus") returned -19 [0266.593] _wcsicmp (_String1="computer", _String2="avpsus") returned 2 [0266.593] _wcsicmp (_String1="config", _String2="avpsus") returned 2 [0266.593] _wcsicmp (_String1="continue", _String2="avpsus") returned 2 [0266.593] _wcsicmp (_String1="cont", _String2="avpsus") returned 2 [0266.593] _wcsicmp (_String1="file", _String2="avpsus") returned 5 [0266.594] _wcsicmp (_String1="files", _String2="avpsus") returned 5 [0266.594] _wcsicmp (_String1="group", _String2="avpsus") returned 6 [0266.594] _wcsicmp (_String1="groups", _String2="avpsus") returned 6 [0266.594] _wcsicmp (_String1="help", _String2="avpsus") returned 7 [0266.594] _wcsicmp (_String1="helpmsg", _String2="avpsus") returned 7 [0266.594] _wcsicmp (_String1="localgroup", _String2="avpsus") returned 11 [0266.594] _wcsicmp (_String1="pause", _String2="avpsus") returned 15 [0266.594] _wcsicmp (_String1="session", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="sessions", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="sess", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="share", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="start", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="stats", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="statistics", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="stop", _String2="avpsus") returned 18 [0266.594] _wcsicmp (_String1="time", _String2="avpsus") returned 19 [0266.594] _wcsicmp (_String1="user", _String2="avpsus") returned 20 [0266.594] _wcsicmp (_String1="users", _String2="avpsus") returned 20 [0266.594] _wcsicmp (_String1="msg", _String2="avpsus") returned 12 [0266.595] _wcsicmp (_String1="messenger", _String2="avpsus") returned 12 [0266.595] _wcsicmp (_String1="receiver", _String2="avpsus") returned 17 [0266.595] _wcsicmp (_String1="rcv", _String2="avpsus") returned 17 [0266.595] _wcsicmp (_String1="netpopup", _String2="avpsus") returned 13 [0266.595] _wcsicmp (_String1="redirector", _String2="avpsus") returned 17 [0266.595] _wcsicmp (_String1="redir", _String2="avpsus") returned 17 [0266.595] _wcsicmp (_String1="rdr", _String2="avpsus") returned 17 [0266.595] _wcsicmp (_String1="workstation", _String2="avpsus") returned 22 [0266.595] _wcsicmp (_String1="work", _String2="avpsus") returned 22 [0266.595] _wcsicmp (_String1="wksta", _String2="avpsus") returned 22 [0266.595] _wcsicmp (_String1="prdr", _String2="avpsus") returned 15 [0266.595] _wcsicmp (_String1="devrdr", _String2="avpsus") returned 3 [0266.595] _wcsicmp (_String1="lanmanworkstation", _String2="avpsus") returned 11 [0266.595] _wcsicmp (_String1="server", _String2="avpsus") returned 18 [0266.595] _wcsicmp (_String1="svr", _String2="avpsus") returned 18 [0266.595] _wcsicmp (_String1="srv", _String2="avpsus") returned 18 [0266.595] _wcsicmp (_String1="lanmanserver", _String2="avpsus") returned 11 [0266.595] _wcsicmp (_String1="alerter", _String2="avpsus") returned -10 [0266.595] _wcsicmp (_String1="netlogon", _String2="avpsus") returned 13 [0266.596] _wcsupr (in: _String="avpsus" | out: _String="AVPSUS") returned="AVPSUS" [0266.596] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31f09c0 [0266.603] GetServiceKeyNameW (in: hSCManager=0x31f09c0, lpDisplayName="AVPSUS", lpServiceName=0x1c8c28, lpcchBuffer=0x2e7fa6c | out: lpServiceName="", lpcchBuffer=0x2e7fa6c) returned 0 [0273.244] _wcsicmp (_String1="msg", _String2="AVPSUS") returned 12 [0273.244] _wcsicmp (_String1="messenger", _String2="AVPSUS") returned 12 [0273.244] _wcsicmp (_String1="receiver", _String2="AVPSUS") returned 17 [0273.244] _wcsicmp (_String1="rcv", _String2="AVPSUS") returned 17 [0273.244] _wcsicmp (_String1="redirector", _String2="AVPSUS") returned 17 [0273.244] _wcsicmp (_String1="redir", _String2="AVPSUS") returned 17 [0273.244] _wcsicmp (_String1="rdr", _String2="AVPSUS") returned 17 [0273.244] _wcsicmp (_String1="workstation", _String2="AVPSUS") returned 22 [0273.244] _wcsicmp (_String1="work", _String2="AVPSUS") returned 22 [0273.244] _wcsicmp (_String1="wksta", _String2="AVPSUS") returned 22 [0273.245] _wcsicmp (_String1="prdr", _String2="AVPSUS") returned 15 [0273.245] _wcsicmp (_String1="devrdr", _String2="AVPSUS") returned 3 [0273.245] _wcsicmp (_String1="lanmanworkstation", _String2="AVPSUS") returned 11 [0273.245] _wcsicmp (_String1="server", _String2="AVPSUS") returned 18 [0273.245] _wcsicmp (_String1="svr", _String2="AVPSUS") returned 18 [0273.245] _wcsicmp (_String1="srv", _String2="AVPSUS") returned 18 [0273.245] _wcsicmp (_String1="lanmanserver", _String2="AVPSUS") returned 11 [0273.245] _wcsicmp (_String1="alerter", _String2="AVPSUS") returned -10 [0273.245] _wcsicmp (_String1="netlogon", _String2="AVPSUS") returned 13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="WORKSTATION") returned -22 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="LanmanWorkstation") returned -11 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="SERVER") returned -18 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="LanmanServer") returned -11 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="BROWSER") returned -1 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="BROWSER") returned -1 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="MESSENGER") returned -12 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="MESSENGER") returned -12 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETRUN") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETRUN") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="SPOOLER") returned -18 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="SPOOLER") returned -18 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="ALERTER") returned 10 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="ALERTER") returned 10 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETLOGON") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETLOGON") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETPOPUP") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="NETPOPUP") returned -13 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="SQLSERVER") returned -18 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="SQLSERVER") returned -18 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="REPLICATOR") returned -17 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="REPLICATOR") returned -17 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="REMOTEBOOT") returned -17 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="REMOTEBOOT") returned -17 [0273.245] _wcsicmp (_String1="AVPSUS", _String2="TIMESOURCE") returned -19 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="TIMESOURCE") returned -19 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="AFP") returned 16 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="AFP") returned 16 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="UPS") returned -20 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="UPS") returned -20 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="XACTSRV") returned -23 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="XACTSRV") returned -23 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="TCPIP") returned -19 [0273.246] _wcsicmp (_String1="AVPSUS", _String2="TCPIP") returned -19 [0273.246] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x31f0b28 [0273.248] OpenServiceW (hSCManager=0x31f0b28, lpServiceName="AVPSUS", dwDesiredAccess=0x84) returned 0x0 [0273.248] GetLastError () returned 0x424 [0273.252] CloseServiceHandle (hSCObject=0x31f0b28) returned 1 [0273.253] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0273.253] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2bd0002 [0273.258] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2bd0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0273.263] GetFileType (hFile=0x94) returned 0x2 [0273.263] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f8fc | out: lpMode=0x2e7f8fc) returned 1 [0273.267] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2e7f908, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2e7f908*=0x1e) returned 1 [0273.279] GetFileType (hFile=0x94) returned 0x2 [0273.279] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f8fc | out: lpMode=0x2e7f8fc) returned 1 [0273.279] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2e7f908, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2e7f908*=0x2) returned 1 [0273.281] _ultow (in: _Dest=0x889, _Radix=48757072 | out: _Dest=0x889) returned="2185" [0273.282] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2bd0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0273.333] GetFileType (hFile=0x94) returned 0x2 [0273.333] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f920 | out: lpMode=0x2e7f920) returned 1 [0273.358] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2e7f92c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2e7f92c*=0x34) returned 1 [0273.358] GetFileType (hFile=0x94) returned 0x2 [0273.359] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f920 | out: lpMode=0x2e7f920) returned 1 [0273.359] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2e7f92c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2e7f92c*=0x2) returned 1 [0273.360] NetApiBufferFree (Buffer=0x31e7ce0) returned 0x0 [0273.360] NetApiBufferFree (Buffer=0x31e7cf8) returned 0x0 [0273.360] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop avpsus /y" [0273.360] exit (_Code=2) Thread: id = 24 os_tid = 0x1328 Process: id = "7" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x2c9e000" os_pid = "0x107c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop McAfeeDLPAgentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0xfe8 Thread: id = 29 os_tid = 0x13f8 Process: id = "8" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x63a67000" os_pid = "0x10f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x107c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0xffc Thread: id = 27 os_tid = 0x1340 Thread: id = 28 os_tid = 0x10a0 Process: id = "9" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x39766000" os_pid = "0x1090" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x107c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x123c [0274.830] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0274.831] __set_app_type (_Type=0x1) [0274.831] __p__fmode () returned 0x776f3c14 [0274.831] __p__commode () returned 0x776f49ec [0274.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0274.831] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0274.831] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0274.831] GetConsoleOutputCP () returned 0x1b5 [0274.918] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0274.918] SetThreadUILanguage (LangId=0x0) returned 0x2c00409 [0275.013] sprintf_s (in: _DstBuf=0x2edfb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0275.014] setlocale (category=0, locale=".437") returned="English_United States.437" [0275.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0275.015] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0275.015] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" [0275.015] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2edf940, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0275.015] RtlAllocateHeap (HeapHandle=0x30d0000, Flags=0x0, Size=0x7e) returned 0x30d45b0 [0275.015] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0275.016] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2edf93c | out: Buffer=0x2edf93c*=0x30d7da0) returned 0x0 [0275.016] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2edf938 | out: Buffer=0x2edf938*=0x30d7db8) returned 0x0 [0275.016] __iob_func () returned 0x776f2608 [0275.016] _fileno (_File=0x776f2608) returned 0 [0275.016] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0275.016] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0275.016] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0275.016] _wcsicmp (_String1="config", _String2="stop") returned -16 [0275.016] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0275.016] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0275.016] _wcsicmp (_String1="file", _String2="stop") returned -13 [0275.016] _wcsicmp (_String1="files", _String2="stop") returned -13 [0275.016] _wcsicmp (_String1="group", _String2="stop") returned -12 [0275.016] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0275.016] _wcsicmp (_String1="help", _String2="stop") returned -11 [0275.016] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0275.016] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0275.016] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0275.016] _wcsicmp (_String1="session", _String2="stop") returned -15 [0275.016] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0275.016] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0275.016] _wcsicmp (_String1="share", _String2="stop") returned -12 [0275.016] _wcsicmp (_String1="start", _String2="stop") returned -14 [0275.016] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0275.016] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0275.016] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0275.016] _wcsicmp (_String1="accounts", _String2="McAfeeDLPAgentService") returned -12 [0275.016] _wcsicmp (_String1="computer", _String2="McAfeeDLPAgentService") returned -10 [0275.016] _wcsicmp (_String1="config", _String2="McAfeeDLPAgentService") returned -10 [0275.016] _wcsicmp (_String1="continue", _String2="McAfeeDLPAgentService") returned -10 [0275.017] _wcsicmp (_String1="cont", _String2="McAfeeDLPAgentService") returned -10 [0275.017] _wcsicmp (_String1="file", _String2="McAfeeDLPAgentService") returned -7 [0275.017] _wcsicmp (_String1="files", _String2="McAfeeDLPAgentService") returned -7 [0275.017] _wcsicmp (_String1="group", _String2="McAfeeDLPAgentService") returned -6 [0275.017] _wcsicmp (_String1="groups", _String2="McAfeeDLPAgentService") returned -6 [0275.017] _wcsicmp (_String1="help", _String2="McAfeeDLPAgentService") returned -5 [0275.017] _wcsicmp (_String1="helpmsg", _String2="McAfeeDLPAgentService") returned -5 [0275.017] _wcsicmp (_String1="localgroup", _String2="McAfeeDLPAgentService") returned -1 [0275.017] _wcsicmp (_String1="pause", _String2="McAfeeDLPAgentService") returned 3 [0275.017] _wcsicmp (_String1="session", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="sessions", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="sess", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="share", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="start", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="stats", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="statistics", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="stop", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="time", _String2="McAfeeDLPAgentService") returned 7 [0275.017] _wcsicmp (_String1="user", _String2="McAfeeDLPAgentService") returned 8 [0275.017] _wcsicmp (_String1="users", _String2="McAfeeDLPAgentService") returned 8 [0275.017] _wcsicmp (_String1="msg", _String2="McAfeeDLPAgentService") returned 16 [0275.017] _wcsicmp (_String1="messenger", _String2="McAfeeDLPAgentService") returned 2 [0275.017] _wcsicmp (_String1="receiver", _String2="McAfeeDLPAgentService") returned 5 [0275.017] _wcsicmp (_String1="rcv", _String2="McAfeeDLPAgentService") returned 5 [0275.017] _wcsicmp (_String1="netpopup", _String2="McAfeeDLPAgentService") returned 1 [0275.017] _wcsicmp (_String1="redirector", _String2="McAfeeDLPAgentService") returned 5 [0275.017] _wcsicmp (_String1="redir", _String2="McAfeeDLPAgentService") returned 5 [0275.017] _wcsicmp (_String1="rdr", _String2="McAfeeDLPAgentService") returned 5 [0275.017] _wcsicmp (_String1="workstation", _String2="McAfeeDLPAgentService") returned 10 [0275.017] _wcsicmp (_String1="work", _String2="McAfeeDLPAgentService") returned 10 [0275.017] _wcsicmp (_String1="wksta", _String2="McAfeeDLPAgentService") returned 10 [0275.017] _wcsicmp (_String1="prdr", _String2="McAfeeDLPAgentService") returned 3 [0275.017] _wcsicmp (_String1="devrdr", _String2="McAfeeDLPAgentService") returned -9 [0275.017] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeDLPAgentService") returned -1 [0275.017] _wcsicmp (_String1="server", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="svr", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="srv", _String2="McAfeeDLPAgentService") returned 6 [0275.017] _wcsicmp (_String1="lanmanserver", _String2="McAfeeDLPAgentService") returned -1 [0275.018] _wcsicmp (_String1="alerter", _String2="McAfeeDLPAgentService") returned -12 [0275.018] _wcsicmp (_String1="netlogon", _String2="McAfeeDLPAgentService") returned 1 [0275.018] _wcsupr (in: _String="McAfeeDLPAgentService" | out: _String="MCAFEEDLPAGENTSERVICE") returned="MCAFEEDLPAGENTSERVICE" [0275.018] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x30e09a8 [0275.022] GetServiceKeyNameW (in: hSCManager=0x30e09a8, lpDisplayName="MCAFEEDLPAGENTSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2edf8ac | out: lpServiceName="", lpcchBuffer=0x2edf8ac) returned 0 [0275.024] _wcsicmp (_String1="msg", _String2="MCAFEEDLPAGENTSERVICE") returned 16 [0275.024] _wcsicmp (_String1="messenger", _String2="MCAFEEDLPAGENTSERVICE") returned 2 [0275.024] _wcsicmp (_String1="receiver", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0275.024] _wcsicmp (_String1="rcv", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0275.024] _wcsicmp (_String1="redirector", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0275.024] _wcsicmp (_String1="redir", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0275.024] _wcsicmp (_String1="rdr", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0275.024] _wcsicmp (_String1="workstation", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0275.024] _wcsicmp (_String1="work", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0275.024] _wcsicmp (_String1="wksta", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0275.024] _wcsicmp (_String1="prdr", _String2="MCAFEEDLPAGENTSERVICE") returned 3 [0275.024] _wcsicmp (_String1="devrdr", _String2="MCAFEEDLPAGENTSERVICE") returned -9 [0275.024] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEDLPAGENTSERVICE") returned -1 [0275.024] _wcsicmp (_String1="server", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0275.024] _wcsicmp (_String1="svr", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0275.024] _wcsicmp (_String1="srv", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0275.024] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEDLPAGENTSERVICE") returned -1 [0275.024] _wcsicmp (_String1="alerter", _String2="MCAFEEDLPAGENTSERVICE") returned -12 [0275.024] _wcsicmp (_String1="netlogon", _String2="MCAFEEDLPAGENTSERVICE") returned 1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="WORKSTATION") returned -10 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="LanmanWorkstation") returned 1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SERVER") returned -6 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="LanmanServer") returned 1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="BROWSER") returned 11 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="BROWSER") returned 11 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="MESSENGER") returned -2 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="MESSENGER") returned -2 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETRUN") returned -1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETRUN") returned -1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SPOOLER") returned -6 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SPOOLER") returned -6 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="ALERTER") returned 12 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="ALERTER") returned 12 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETLOGON") returned -1 [0275.024] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETLOGON") returned -1 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETPOPUP") returned -1 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETPOPUP") returned -1 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SQLSERVER") returned -6 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SQLSERVER") returned -6 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REPLICATOR") returned -5 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REPLICATOR") returned -5 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REMOTEBOOT") returned -5 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REMOTEBOOT") returned -5 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TIMESOURCE") returned -7 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TIMESOURCE") returned -7 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="AFP") returned 12 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="AFP") returned 12 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="UPS") returned -8 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="UPS") returned -8 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="XACTSRV") returned -11 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="XACTSRV") returned -11 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TCPIP") returned -7 [0275.025] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TCPIP") returned -7 [0275.025] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x30e0ae8 [0275.025] OpenServiceW (hSCManager=0x30e0ae8, lpServiceName="MCAFEEDLPAGENTSERVICE", dwDesiredAccess=0x84) returned 0x0 [0275.026] GetLastError () returned 0x424 [0275.026] CloseServiceHandle (hSCObject=0x30e0ae8) returned 1 [0275.026] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0275.026] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2f50002 [0275.027] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2f50002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0275.027] GetFileType (hFile=0x94) returned 0x2 [0275.027] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2edf73c | out: lpMode=0x2edf73c) returned 1 [0275.121] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2edf748, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2edf748*=0x1e) returned 1 [0275.215] GetFileType (hFile=0x94) returned 0x2 [0275.216] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2edf73c | out: lpMode=0x2edf73c) returned 1 [0275.308] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2edf748, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2edf748*=0x2) returned 1 [0275.402] _ultow (in: _Dest=0x889, _Radix=49149840 | out: _Dest=0x889) returned="2185" [0275.402] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2f50002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0275.402] GetFileType (hFile=0x94) returned 0x2 [0275.402] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2edf760 | out: lpMode=0x2edf760) returned 1 [0275.411] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2edf76c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2edf76c*=0x34) returned 1 [0275.411] GetFileType (hFile=0x94) returned 0x2 [0275.411] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2edf760 | out: lpMode=0x2edf760) returned 1 [0275.411] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2edf76c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2edf76c*=0x2) returned 1 [0275.412] NetApiBufferFree (Buffer=0x30d7da0) returned 0x0 [0275.412] NetApiBufferFree (Buffer=0x30d7db8) returned 0x0 [0275.412] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" [0275.412] exit (_Code=2) Thread: id = 31 os_tid = 0x1164 Process: id = "10" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x3cca5000" os_pid = "0x4f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop mfewc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0x510 Thread: id = 36 os_tid = 0x680 Process: id = "11" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x66252000" os_pid = "0x514" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x4f0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0x790 Thread: id = 34 os_tid = 0xd18 Thread: id = 35 os_tid = 0xcfc Process: id = "12" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x71417000" os_pid = "0x774" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x4f0" cmd_line = "C:\\WINDOWS\\system32\\net1 stop mfewc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0xd4c [0277.572] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0277.572] __set_app_type (_Type=0x1) [0277.572] __p__fmode () returned 0x776f3c14 [0277.572] __p__commode () returned 0x776f49ec [0277.572] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0277.572] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0277.572] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0277.572] GetConsoleOutputCP () returned 0x1b5 [0277.653] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0277.653] SetThreadUILanguage (LangId=0x0) returned 0x2a50409 [0277.747] sprintf_s (in: _DstBuf=0x298fda4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0277.747] setlocale (category=0, locale=".437") returned="English_United States.437" [0277.749] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0277.749] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0277.749] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop mfewc /y" [0277.749] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x298fb4c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0277.750] RtlAllocateHeap (HeapHandle=0x2d60000, Flags=0x0, Size=0x5e) returned 0x2d64388 [0277.750] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0277.750] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x298fb48 | out: Buffer=0x298fb48*=0x2d67e60) returned 0x0 [0277.750] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x298fb44 | out: Buffer=0x298fb44*=0x2d67e30) returned 0x0 [0277.750] __iob_func () returned 0x776f2608 [0277.750] _fileno (_File=0x776f2608) returned 0 [0277.750] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0277.750] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0277.750] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0277.750] _wcsicmp (_String1="config", _String2="stop") returned -16 [0277.750] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0277.750] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0277.750] _wcsicmp (_String1="file", _String2="stop") returned -13 [0277.750] _wcsicmp (_String1="files", _String2="stop") returned -13 [0277.750] _wcsicmp (_String1="group", _String2="stop") returned -12 [0277.750] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0277.750] _wcsicmp (_String1="help", _String2="stop") returned -11 [0277.750] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0277.750] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0277.750] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0277.750] _wcsicmp (_String1="session", _String2="stop") returned -15 [0277.750] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0277.750] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0277.750] _wcsicmp (_String1="share", _String2="stop") returned -12 [0277.750] _wcsicmp (_String1="start", _String2="stop") returned -14 [0277.750] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0277.751] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0277.751] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0277.751] _wcsicmp (_String1="accounts", _String2="mfewc") returned -12 [0277.751] _wcsicmp (_String1="computer", _String2="mfewc") returned -10 [0277.751] _wcsicmp (_String1="config", _String2="mfewc") returned -10 [0277.751] _wcsicmp (_String1="continue", _String2="mfewc") returned -10 [0277.751] _wcsicmp (_String1="cont", _String2="mfewc") returned -10 [0277.751] _wcsicmp (_String1="file", _String2="mfewc") returned -7 [0277.751] _wcsicmp (_String1="files", _String2="mfewc") returned -7 [0277.751] _wcsicmp (_String1="group", _String2="mfewc") returned -6 [0277.751] _wcsicmp (_String1="groups", _String2="mfewc") returned -6 [0277.751] _wcsicmp (_String1="help", _String2="mfewc") returned -5 [0277.751] _wcsicmp (_String1="helpmsg", _String2="mfewc") returned -5 [0277.751] _wcsicmp (_String1="localgroup", _String2="mfewc") returned -1 [0277.751] _wcsicmp (_String1="pause", _String2="mfewc") returned 3 [0277.751] _wcsicmp (_String1="session", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="sessions", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="sess", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="share", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="start", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="stats", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="statistics", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="stop", _String2="mfewc") returned 6 [0277.751] _wcsicmp (_String1="time", _String2="mfewc") returned 7 [0277.751] _wcsicmp (_String1="user", _String2="mfewc") returned 8 [0277.751] _wcsicmp (_String1="users", _String2="mfewc") returned 8 [0277.751] _wcsicmp (_String1="msg", _String2="mfewc") returned 13 [0277.751] _wcsicmp (_String1="messenger", _String2="mfewc") returned -1 [0277.751] _wcsicmp (_String1="receiver", _String2="mfewc") returned 5 [0277.751] _wcsicmp (_String1="rcv", _String2="mfewc") returned 5 [0277.751] _wcsicmp (_String1="netpopup", _String2="mfewc") returned 1 [0277.751] _wcsicmp (_String1="redirector", _String2="mfewc") returned 5 [0277.751] _wcsicmp (_String1="redir", _String2="mfewc") returned 5 [0277.751] _wcsicmp (_String1="rdr", _String2="mfewc") returned 5 [0277.751] _wcsicmp (_String1="workstation", _String2="mfewc") returned 10 [0277.752] _wcsicmp (_String1="work", _String2="mfewc") returned 10 [0277.752] _wcsicmp (_String1="wksta", _String2="mfewc") returned 10 [0277.752] _wcsicmp (_String1="prdr", _String2="mfewc") returned 3 [0277.752] _wcsicmp (_String1="devrdr", _String2="mfewc") returned -9 [0277.752] _wcsicmp (_String1="lanmanworkstation", _String2="mfewc") returned -1 [0277.752] _wcsicmp (_String1="server", _String2="mfewc") returned 6 [0277.752] _wcsicmp (_String1="svr", _String2="mfewc") returned 6 [0277.752] _wcsicmp (_String1="srv", _String2="mfewc") returned 6 [0277.752] _wcsicmp (_String1="lanmanserver", _String2="mfewc") returned -1 [0277.752] _wcsicmp (_String1="alerter", _String2="mfewc") returned -12 [0277.752] _wcsicmp (_String1="netlogon", _String2="mfewc") returned 1 [0277.752] _wcsupr (in: _String="mfewc" | out: _String="MFEWC") returned="MFEWC" [0277.752] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d70a30 [0277.756] GetServiceKeyNameW (in: hSCManager=0x2d70a30, lpDisplayName="MFEWC", lpServiceName=0x1c8c28, lpcchBuffer=0x298fabc | out: lpServiceName="", lpcchBuffer=0x298fabc) returned 0 [0277.757] _wcsicmp (_String1="msg", _String2="MFEWC") returned 13 [0277.757] _wcsicmp (_String1="messenger", _String2="MFEWC") returned -1 [0277.757] _wcsicmp (_String1="receiver", _String2="MFEWC") returned 5 [0277.757] _wcsicmp (_String1="rcv", _String2="MFEWC") returned 5 [0277.757] _wcsicmp (_String1="redirector", _String2="MFEWC") returned 5 [0277.757] _wcsicmp (_String1="redir", _String2="MFEWC") returned 5 [0277.757] _wcsicmp (_String1="rdr", _String2="MFEWC") returned 5 [0277.757] _wcsicmp (_String1="workstation", _String2="MFEWC") returned 10 [0277.757] _wcsicmp (_String1="work", _String2="MFEWC") returned 10 [0277.757] _wcsicmp (_String1="wksta", _String2="MFEWC") returned 10 [0277.757] _wcsicmp (_String1="prdr", _String2="MFEWC") returned 3 [0277.757] _wcsicmp (_String1="devrdr", _String2="MFEWC") returned -9 [0277.757] _wcsicmp (_String1="lanmanworkstation", _String2="MFEWC") returned -1 [0277.757] _wcsicmp (_String1="server", _String2="MFEWC") returned 6 [0277.757] _wcsicmp (_String1="svr", _String2="MFEWC") returned 6 [0277.757] _wcsicmp (_String1="srv", _String2="MFEWC") returned 6 [0277.757] _wcsicmp (_String1="lanmanserver", _String2="MFEWC") returned -1 [0277.757] _wcsicmp (_String1="alerter", _String2="MFEWC") returned -12 [0277.757] _wcsicmp (_String1="netlogon", _String2="MFEWC") returned 1 [0277.757] _wcsicmp (_String1="MFEWC", _String2="WORKSTATION") returned -10 [0277.757] _wcsicmp (_String1="MFEWC", _String2="LanmanWorkstation") returned 1 [0277.757] _wcsicmp (_String1="MFEWC", _String2="SERVER") returned -6 [0277.758] _wcsicmp (_String1="MFEWC", _String2="LanmanServer") returned 1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="BROWSER") returned 11 [0277.758] _wcsicmp (_String1="MFEWC", _String2="BROWSER") returned 11 [0277.758] _wcsicmp (_String1="MFEWC", _String2="MESSENGER") returned 1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="MESSENGER") returned 1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETRUN") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETRUN") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="SPOOLER") returned -6 [0277.758] _wcsicmp (_String1="MFEWC", _String2="SPOOLER") returned -6 [0277.758] _wcsicmp (_String1="MFEWC", _String2="ALERTER") returned 12 [0277.758] _wcsicmp (_String1="MFEWC", _String2="ALERTER") returned 12 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETLOGON") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETLOGON") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETPOPUP") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="NETPOPUP") returned -1 [0277.758] _wcsicmp (_String1="MFEWC", _String2="SQLSERVER") returned -6 [0277.758] _wcsicmp (_String1="MFEWC", _String2="SQLSERVER") returned -6 [0277.758] _wcsicmp (_String1="MFEWC", _String2="REPLICATOR") returned -5 [0277.758] _wcsicmp (_String1="MFEWC", _String2="REPLICATOR") returned -5 [0277.758] _wcsicmp (_String1="MFEWC", _String2="REMOTEBOOT") returned -5 [0277.758] _wcsicmp (_String1="MFEWC", _String2="REMOTEBOOT") returned -5 [0277.758] _wcsicmp (_String1="MFEWC", _String2="TIMESOURCE") returned -7 [0277.758] _wcsicmp (_String1="MFEWC", _String2="TIMESOURCE") returned -7 [0277.758] _wcsicmp (_String1="MFEWC", _String2="AFP") returned 12 [0277.758] _wcsicmp (_String1="MFEWC", _String2="AFP") returned 12 [0277.758] _wcsicmp (_String1="MFEWC", _String2="UPS") returned -8 [0277.758] _wcsicmp (_String1="MFEWC", _String2="UPS") returned -8 [0277.758] _wcsicmp (_String1="MFEWC", _String2="XACTSRV") returned -11 [0277.758] _wcsicmp (_String1="MFEWC", _String2="XACTSRV") returned -11 [0277.758] _wcsicmp (_String1="MFEWC", _String2="TCPIP") returned -7 [0277.758] _wcsicmp (_String1="MFEWC", _String2="TCPIP") returned -7 [0277.758] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2d70968 [0277.759] OpenServiceW (hSCManager=0x2d70968, lpServiceName="MFEWC", dwDesiredAccess=0x84) returned 0x0 [0277.759] GetLastError () returned 0x424 [0277.759] CloseServiceHandle (hSCObject=0x2d70968) returned 1 [0277.760] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0277.760] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x29c0002 [0277.761] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x29c0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0277.762] GetFileType (hFile=0x94) returned 0x2 [0277.762] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x298f94c | out: lpMode=0x298f94c) returned 1 [0277.839] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x298f958, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x298f958*=0x1e) returned 1 [0277.934] GetFileType (hFile=0x94) returned 0x2 [0277.934] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x298f94c | out: lpMode=0x298f94c) returned 1 [0278.027] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x298f958, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x298f958*=0x2) returned 1 [0278.120] _ultow (in: _Dest=0x889, _Radix=43579808 | out: _Dest=0x889) returned="2185" [0278.120] FormatMessageW (in: dwFlags=0x2800, lpSource=0x29c0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0278.120] GetFileType (hFile=0x94) returned 0x2 [0278.120] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x298f970 | out: lpMode=0x298f970) returned 1 [0278.200] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x298f97c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x298f97c*=0x34) returned 1 [0278.277] GetFileType (hFile=0x94) returned 0x2 [0278.277] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x298f970 | out: lpMode=0x298f970) returned 1 [0278.364] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x298f97c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x298f97c*=0x2) returned 1 [0278.512] NetApiBufferFree (Buffer=0x2d67e60) returned 0x0 [0278.512] NetApiBufferFree (Buffer=0x2d67e30) returned 0x0 [0278.512] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop mfewc /y" [0278.512] exit (_Code=2) Thread: id = 38 os_tid = 0x6dc Process: id = "13" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5bfaa000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BMR Boot Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 39 os_tid = 0x133c Thread: id = 43 os_tid = 0x12b8 Process: id = "14" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x406b5000" os_pid = "0x1338" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x12bc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 40 os_tid = 0x12c0 Thread: id = 41 os_tid = 0x1084 Thread: id = 42 os_tid = 0x10b4 Process: id = "15" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5b9b2000" os_pid = "0x13fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x12bc" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xa70 [0280.450] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0280.450] __set_app_type (_Type=0x1) [0280.450] __p__fmode () returned 0x776f3c14 [0280.450] __p__commode () returned 0x776f49ec [0280.451] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0280.451] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0280.451] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0280.451] GetConsoleOutputCP () returned 0x1b5 [0280.550] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0280.550] SetThreadUILanguage (LangId=0x0) returned 0x2390409 [0280.639] sprintf_s (in: _DstBuf=0x247f7f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0280.640] setlocale (category=0, locale=".437") returned="English_United States.437" [0280.642] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0280.642] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0280.642] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" [0280.643] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x247f5a0, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0280.643] RtlAllocateHeap (HeapHandle=0x2590000, Flags=0x0, Size=0x7c) returned 0x25982d0 [0280.643] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0280.643] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x247f59c | out: Buffer=0x247f59c*=0x2597d80) returned 0x0 [0280.643] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x247f598 | out: Buffer=0x247f598*=0x2597d68) returned 0x0 [0280.643] __iob_func () returned 0x776f2608 [0280.643] _fileno (_File=0x776f2608) returned 0 [0280.643] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0280.644] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0280.644] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0280.644] _wcsicmp (_String1="config", _String2="stop") returned -16 [0280.644] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0280.644] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0280.644] _wcsicmp (_String1="file", _String2="stop") returned -13 [0280.644] _wcsicmp (_String1="files", _String2="stop") returned -13 [0280.644] _wcsicmp (_String1="group", _String2="stop") returned -12 [0280.644] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0280.644] _wcsicmp (_String1="help", _String2="stop") returned -11 [0280.644] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0280.644] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0280.644] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0280.644] _wcsicmp (_String1="session", _String2="stop") returned -15 [0280.644] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0280.645] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0280.645] _wcsicmp (_String1="share", _String2="stop") returned -12 [0280.645] _wcsicmp (_String1="start", _String2="stop") returned -14 [0280.645] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0280.645] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0280.645] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0280.645] _wcsicmp (_String1="accounts", _String2="BMR") returned -1 [0280.645] _wcsicmp (_String1="computer", _String2="BMR") returned 1 [0280.645] _wcsicmp (_String1="config", _String2="BMR") returned 1 [0280.645] _wcsicmp (_String1="continue", _String2="BMR") returned 1 [0280.645] _wcsicmp (_String1="cont", _String2="BMR") returned 1 [0280.645] _wcsicmp (_String1="file", _String2="BMR") returned 4 [0280.645] _wcsicmp (_String1="files", _String2="BMR") returned 4 [0280.645] _wcsicmp (_String1="group", _String2="BMR") returned 5 [0280.645] _wcsicmp (_String1="groups", _String2="BMR") returned 5 [0280.645] _wcsicmp (_String1="help", _String2="BMR") returned 6 [0280.646] _wcsicmp (_String1="helpmsg", _String2="BMR") returned 6 [0280.646] _wcsicmp (_String1="localgroup", _String2="BMR") returned 10 [0280.646] _wcsicmp (_String1="pause", _String2="BMR") returned 14 [0280.646] _wcsicmp (_String1="session", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="sessions", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="sess", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="share", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="start", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="stats", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="statistics", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="stop", _String2="BMR") returned 17 [0280.646] _wcsicmp (_String1="time", _String2="BMR") returned 18 [0280.646] _wcsicmp (_String1="user", _String2="BMR") returned 19 [0280.646] _wcsicmp (_String1="users", _String2="BMR") returned 19 [0280.646] _wcsicmp (_String1="msg", _String2="BMR") returned 11 [0280.646] _wcsicmp (_String1="messenger", _String2="BMR") returned 11 [0280.646] _wcsicmp (_String1="receiver", _String2="BMR") returned 16 [0280.646] _wcsicmp (_String1="rcv", _String2="BMR") returned 16 [0280.647] _wcsicmp (_String1="netpopup", _String2="BMR") returned 12 [0280.647] _wcsicmp (_String1="redirector", _String2="BMR") returned 16 [0280.647] _wcsicmp (_String1="redir", _String2="BMR") returned 16 [0280.647] _wcsicmp (_String1="rdr", _String2="BMR") returned 16 [0280.647] _wcsicmp (_String1="workstation", _String2="BMR") returned 21 [0280.647] _wcsicmp (_String1="work", _String2="BMR") returned 21 [0280.647] _wcsicmp (_String1="wksta", _String2="BMR") returned 21 [0280.647] _wcsicmp (_String1="prdr", _String2="BMR") returned 14 [0280.647] _wcsicmp (_String1="devrdr", _String2="BMR") returned 2 [0280.647] _wcsicmp (_String1="lanmanworkstation", _String2="BMR") returned 10 [0280.647] _wcsicmp (_String1="server", _String2="BMR") returned 17 [0280.647] _wcsicmp (_String1="svr", _String2="BMR") returned 17 [0280.647] _wcsicmp (_String1="srv", _String2="BMR") returned 17 [0280.647] _wcsicmp (_String1="lanmanserver", _String2="BMR") returned 10 [0280.647] _wcsicmp (_String1="alerter", _String2="BMR") returned -1 [0280.647] _wcsicmp (_String1="netlogon", _String2="BMR") returned 12 [0280.647] _wcsicmp (_String1="accounts", _String2="Boot") returned -1 [0280.648] _wcsicmp (_String1="computer", _String2="Boot") returned 1 [0280.648] _wcsicmp (_String1="config", _String2="Boot") returned 1 [0280.648] _wcsicmp (_String1="continue", _String2="Boot") returned 1 [0280.648] _wcsicmp (_String1="cont", _String2="Boot") returned 1 [0280.648] _wcsicmp (_String1="file", _String2="Boot") returned 4 [0280.648] _wcsicmp (_String1="files", _String2="Boot") returned 4 [0280.648] _wcsicmp (_String1="group", _String2="Boot") returned 5 [0280.648] _wcsicmp (_String1="groups", _String2="Boot") returned 5 [0280.648] _wcsicmp (_String1="help", _String2="Boot") returned 6 [0280.648] _wcsicmp (_String1="helpmsg", _String2="Boot") returned 6 [0280.648] _wcsicmp (_String1="localgroup", _String2="Boot") returned 10 [0280.648] _wcsicmp (_String1="pause", _String2="Boot") returned 14 [0280.648] _wcsicmp (_String1="session", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="sessions", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="sess", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="share", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="start", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="stats", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="statistics", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="stop", _String2="Boot") returned 17 [0280.648] _wcsicmp (_String1="time", _String2="Boot") returned 18 [0280.648] _wcsicmp (_String1="user", _String2="Boot") returned 19 [0280.648] _wcsicmp (_String1="users", _String2="Boot") returned 19 [0280.648] _wcsicmp (_String1="msg", _String2="Boot") returned 11 [0280.648] _wcsicmp (_String1="messenger", _String2="Boot") returned 11 [0280.648] _wcsicmp (_String1="receiver", _String2="Boot") returned 16 [0280.648] _wcsicmp (_String1="rcv", _String2="Boot") returned 16 [0280.649] _wcsicmp (_String1="netpopup", _String2="Boot") returned 12 [0280.649] _wcsicmp (_String1="redirector", _String2="Boot") returned 16 [0280.649] _wcsicmp (_String1="redir", _String2="Boot") returned 16 [0280.649] _wcsicmp (_String1="rdr", _String2="Boot") returned 16 [0280.649] _wcsicmp (_String1="workstation", _String2="Boot") returned 21 [0280.649] _wcsicmp (_String1="work", _String2="Boot") returned 21 [0280.649] _wcsicmp (_String1="wksta", _String2="Boot") returned 21 [0280.649] _wcsicmp (_String1="prdr", _String2="Boot") returned 14 [0280.649] _wcsicmp (_String1="devrdr", _String2="Boot") returned 2 [0280.649] _wcsicmp (_String1="lanmanworkstation", _String2="Boot") returned 10 [0280.649] _wcsicmp (_String1="server", _String2="Boot") returned 17 [0280.649] _wcsicmp (_String1="svr", _String2="Boot") returned 17 [0280.649] _wcsicmp (_String1="srv", _String2="Boot") returned 17 [0280.649] _wcsicmp (_String1="lanmanserver", _String2="Boot") returned 10 [0280.649] _wcsicmp (_String1="alerter", _String2="Boot") returned -1 [0280.649] _wcsicmp (_String1="netlogon", _String2="Boot") returned 12 [0280.649] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0280.649] SetThreadUILanguage (LangId=0x0) returned 0x2390409 [0280.737] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0x21e0002 [0280.755] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x247f070, nSize=0x0, Arguments=0x247f06c | out: lpBuffer="̨ɚɇ觘\x1bౝ") returned 0xff [0280.845] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0280.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.845] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0280.845] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0280.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a0328 | out: _String=0x0, _Context=0x25a0328) returned=" CONT" [0280.845] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.845] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0280.845] _wcsicmp (_String1="CONT", _String2="BMR") returned 1 [0280.845] _wcsicmp (_String1="CONT", _String2="Boot") returned 1 [0280.845] _wcsicmp (_String1="CONT", _String2="Service") returned -16 [0280.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.845] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0280.845] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a034e | out: _String=0x0, _Context=0x25a034e) returned=" FILES" [0280.845] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.845] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0280.845] _wcsicmp (_String1="FILES", _String2="BMR") returned 4 [0280.846] _wcsicmp (_String1="FILES", _String2="Boot") returned 4 [0280.846] _wcsicmp (_String1="FILES", _String2="Service") returned -13 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.846] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0280.846] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a0372 | out: _String=0x0, _Context=0x25a0372) returned=" GROUPS" [0280.846] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.846] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0280.846] _wcsicmp (_String1="GROUPS", _String2="BMR") returned 5 [0280.846] _wcsicmp (_String1="GROUPS", _String2="Boot") returned 5 [0280.846] _wcsicmp (_String1="GROUPS", _String2="Service") returned -12 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.846] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0280.846] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a039a | out: _String=0x0, _Context=0x25a039a) returned=" REPL" [0280.846] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.846] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0280.846] _wcsicmp (_String1="REPL", _String2="BMR") returned 16 [0280.846] _wcsicmp (_String1="REPL", _String2="Boot") returned 16 [0280.846] _wcsicmp (_String1="REPL", _String2="Service") returned -1 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0280.846] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.846] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0280.846] _wcsicmp (_String1="REPLICATOR", _String2="BMR") returned 16 [0280.846] _wcsicmp (_String1="REPLICATOR", _String2="Boot") returned 16 [0280.846] _wcsicmp (_String1="REPLICATOR", _String2="Service") returned -1 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.846] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0280.846] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a03d8 | out: _String=0x0, _Context=0x25a03d8) returned=" SESSIONS" [0280.846] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.846] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0280.846] _wcsicmp (_String1="SESSIONS", _String2="BMR") returned 17 [0280.847] _wcsicmp (_String1="SESSIONS", _String2="Boot") returned 17 [0280.847] _wcsicmp (_String1="SESSIONS", _String2="Service") returned 1 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0280.847] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.847] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0280.847] _wcsicmp (_String1="SESS", _String2="BMR") returned 17 [0280.847] _wcsicmp (_String1="SESS", _String2="Boot") returned 17 [0280.847] _wcsicmp (_String1="SESS", _String2="Service") returned 1 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.847] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0280.847] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a0414 | out: _String=0x0, _Context=0x25a0414) returned=" STATS" [0280.847] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.847] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0280.847] _wcsicmp (_String1="STATS", _String2="BMR") returned 17 [0280.847] _wcsicmp (_String1="STATS", _String2="Boot") returned 17 [0280.847] _wcsicmp (_String1="STATS", _String2="Service") returned 15 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.847] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0280.847] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a0444 | out: _String=0x0, _Context=0x25a0444) returned=" USERS" [0280.847] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.847] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0280.847] _wcsicmp (_String1="USERS", _String2="BMR") returned 19 [0280.847] _wcsicmp (_String1="USERS", _String2="Boot") returned 19 [0280.847] _wcsicmp (_String1="USERS", _String2="Service") returned 2 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.847] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0280.847] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a0468 | out: _String=0x0, _Context=0x25a0468) returned=" REDIRECTOR" [0280.847] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.847] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0280.847] _wcsicmp (_String1="REDIRECTOR", _String2="BMR") returned 16 [0280.847] _wcsicmp (_String1="REDIRECTOR", _String2="Boot") returned 16 [0280.847] _wcsicmp (_String1="REDIRECTOR", _String2="Service") returned -1 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0280.848] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0280.848] _wcsicmp (_String1="REDIR", _String2="BMR") returned 16 [0280.848] _wcsicmp (_String1="REDIR", _String2="Boot") returned 16 [0280.848] _wcsicmp (_String1="REDIR", _String2="Service") returned -1 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0280.848] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0280.848] _wcsicmp (_String1="RDR", _String2="BMR") returned 16 [0280.848] _wcsicmp (_String1="RDR", _String2="Boot") returned 16 [0280.848] _wcsicmp (_String1="RDR", _String2="Service") returned -1 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0280.848] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0280.848] _wcsicmp (_String1="WORK", _String2="BMR") returned 21 [0280.848] _wcsicmp (_String1="WORK", _String2="Boot") returned 21 [0280.848] _wcsicmp (_String1="WORK", _String2="Service") returned 4 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0280.848] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0280.848] _wcsicmp (_String1="WKSTA", _String2="BMR") returned 21 [0280.848] _wcsicmp (_String1="WKSTA", _String2="Boot") returned 21 [0280.848] _wcsicmp (_String1="WKSTA", _String2="Service") returned 4 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0280.848] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0280.848] _wcsicmp (_String1="PRDR", _String2="BMR") returned 14 [0280.848] _wcsicmp (_String1="PRDR", _String2="Boot") returned 14 [0280.848] _wcsicmp (_String1="PRDR", _String2="Service") returned -3 [0280.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0280.848] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0280.848] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0280.848] _wcsicmp (_String1="DEVRDR", _String2="BMR") returned 2 [0280.848] _wcsicmp (_String1="DEVRDR", _String2="Boot") returned 2 [0280.849] _wcsicmp (_String1="DEVRDR", _String2="Service") returned -15 [0280.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.849] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0280.849] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x25a04f2 | out: _String=0x0, _Context=0x25a04f2) returned=" SVR" [0280.849] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0280.849] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0280.849] _wcsicmp (_String1="SVR", _String2="BMR") returned 17 [0280.849] _wcsicmp (_String1="SVR", _String2="Boot") returned 17 [0280.849] _wcsicmp (_String1="SVR", _String2="Service") returned 17 [0280.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0280.849] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.849] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0280.849] _wcsicmp (_String1="SRV", _String2="BMR") returned 17 [0280.849] _wcsicmp (_String1="SRV", _String2="Boot") returned 17 [0280.849] _wcsicmp (_String1="SRV", _String2="Service") returned 13 [0280.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.849] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x247f070, nSize=0x0, Arguments=0x247f06c | out: lpBuffer="䦨əɇ警\x1b౞") returned 0x1c [0280.849] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0280.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0280.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0280.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0280.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0280.849] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0280.849] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0280.849] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.849] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0280.849] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0280.849] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0280.849] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0280.850] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x21f0002 [0280.851] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x21f0002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0280.851] GetFileType (hFile=0x94) returned 0x2 [0280.851] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x247f038 | out: lpMode=0x247f038) returned 1 [0280.940] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x247f044, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x247f044*=0x20) returned 1 [0281.007] GetFileType (hFile=0x94) returned 0x2 [0281.007] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x247f038 | out: lpMode=0x247f038) returned 1 [0281.015] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x247f044, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x247f044*=0x2) returned 1 [0281.126] wcscpy_s (in: _Destination=0x247f0e0, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0281.127] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0281.127] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0281.127] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0281.127] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="BMR", _MaxCount=0xffffffff | out: _Destination="NET stop BMR") returned 0x0 [0281.129] wcsncat_s (in: _Destination="NET stop BMR", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop BMR ") returned 0x0 [0281.129] wcsncat_s (in: _Destination="NET stop BMR ", _SizeInWords=0x200, _Source="Boot", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot") returned 0x0 [0281.129] wcsncat_s (in: _Destination="NET stop BMR Boot", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot ") returned 0x0 [0281.129] wcsncat_s (in: _Destination="NET stop BMR Boot ", _SizeInWords=0x200, _Source="Service", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot Service") returned 0x0 [0281.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௼") returned 0xad [0281.129] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0281.129] LocalFree (hMem=0x25a0530) returned 0x0 [0281.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௿") returned 0x2e [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bం") returned 0x7d [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఅ") returned 0x26 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఈ") returned 0x19 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0281.130] LocalFree (hMem=0x2593f30) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఋ") returned 0x1b [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఎ") returned 0xbe [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b఑") returned 0x33 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఔ") returned 0x19 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0281.130] LocalFree (hMem=0x2593f30) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bగ") returned 0xc1 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bచ") returned 0x16 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0281.130] LocalFree (hMem=0x2593a50) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఝ") returned 0x33 [0281.130] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0281.130] LocalFree (hMem=0x25a0530) returned 0x0 [0281.130] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఠ") returned 0x234 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0281.131] LocalFree (hMem=0x25a0530) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bణ") returned 0x13 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25947d0) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bద") returned 0x14 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25940f8) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1b఩") returned 0x14 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START NETLOGON\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25940f8) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㤈əɇ蛬\x1bబ") returned 0x11 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x2593908) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bయ") returned 0x14 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25940f8) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bల") returned 0x12 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25947d0) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䖨əɇ蛬\x1bవ") returned 0xf [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0281.131] LocalFree (hMem=0x25945a8) returned 0x0 [0281.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bస") returned 0x17 [0281.131] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0281.132] LocalFree (hMem=0x2593a50) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1b఻") returned 0x18 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0281.132] LocalFree (hMem=0x2593a50) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bా") returned 0x21 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bు") returned 0x15 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0281.132] LocalFree (hMem=0x2593a50) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౄ") returned 0x58 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bే") returned 0x184 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bొ") returned 0xf0 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b్") returned 0x47 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౐") returned 0xc2 [0281.132] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0281.132] LocalFree (hMem=0x25a0530) returned 0x0 [0281.132] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౓") returned 0x28d [0281.133] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౖ") returned 0x483 [0281.133] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౙ") returned 0xa86 [0281.133] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౜") returned 0x54 [0281.133] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௼") returned 0xad [0281.133] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET ACCOUNTS\r\n[/F", _MaxCount=0x11) returned 18 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௿") returned 0x2e [0281.133] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET COMPUTER\r\n\\\\c", _MaxCount=0x11) returned 16 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bం") returned 0x7d [0281.133] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONFIG SERVER", _MaxCount=0x11) returned 16 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఅ") returned 0x26 [0281.133] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONFIG\r\n[SERV", _MaxCount=0x11) returned 16 [0281.133] LocalFree (hMem=0x25a0530) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఈ") returned 0x19 [0281.133] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONTINUE\r\nser", _MaxCount=0x11) returned 16 [0281.133] LocalFree (hMem=0x2593f30) returned 0x0 [0281.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఋ") returned 0x1b [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET FILE\r\n[id [/C", _MaxCount=0x11) returned 13 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఎ") returned 0xbe [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET GROUP\r\n[group", _MaxCount=0x11) returned 12 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b఑") returned 0x33 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET HELP\r\ncommand", _MaxCount=0x11) returned 11 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఔ") returned 0x19 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET HELPMSG\r\nmess", _MaxCount=0x11) returned 11 [0281.134] LocalFree (hMem=0x2593f30) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bగ") returned 0xc1 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET LOCALGROUP\r\n[", _MaxCount=0x11) returned 7 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bచ") returned 0x16 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET PAUSE\r\nservic", _MaxCount=0x11) returned 3 [0281.134] LocalFree (hMem=0x2593a50) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఝ") returned 0x33 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET SESSION\r\n[\\\\c", _MaxCount=0x11) returned 15 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఠ") returned 0x234 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET SHARE\r\nsharen", _MaxCount=0x11) returned 12 [0281.134] LocalFree (hMem=0x25a0530) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bణ") returned 0x13 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START BROWSER", _MaxCount=0x11) returned 14 [0281.134] LocalFree (hMem=0x25947d0) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bద") returned 0x14 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START EVENTLO", _MaxCount=0x11) returned 14 [0281.134] LocalFree (hMem=0x25940f8) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1b఩") returned 0x14 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START NETLOGO", _MaxCount=0x11) returned 14 [0281.134] LocalFree (hMem=0x25940f8) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㤈əɇ蛬\x1bబ") returned 0x11 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START RPCSS\r\n", _MaxCount=0x11) returned 14 [0281.134] LocalFree (hMem=0x2593908) returned 0x0 [0281.134] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bయ") returned 0x14 [0281.134] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START SCHEDUL", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x25940f8) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bల") returned 0x12 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START SERVER\r", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x25947d0) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䖨əɇ蛬\x1bవ") returned 0xf [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START UPS\r\n", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x25945a8) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bస") returned 0x17 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START WORKSTA", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x2593a50) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1b఻") returned 0x18 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START\r\n[servi", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x2593a50) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bా") returned 0x21 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET STATISTICS\r\n[", _MaxCount=0x11) returned 14 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bు") returned 0x15 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET STOP\r\nservice", _MaxCount=0x11) returned 19 [0281.135] LocalFree (hMem=0x2593a50) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౄ") returned 0x58 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET TIME\r\n\r\n[\\\\co", _MaxCount=0x11) returned -1 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bే") returned 0x184 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET USE\r\n[devicen", _MaxCount=0x11) returned -2 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bొ") returned 0xf0 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET USER\r\n[userna", _MaxCount=0x11) returned -2 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b్") returned 0x47 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET VIEW\r\n[\\\\comp", _MaxCount=0x11) returned -3 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.135] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౐") returned 0xc2 [0281.135] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET\r\n [ ACCOUN", _MaxCount=0x11) returned 19 [0281.135] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౓") returned 0x28d [0281.136] _wcsnicmp (_String1="NET stop BMR Boot", _String2="SERVICES\r\nNET STA", _MaxCount=0x11) returned -5 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౖ") returned 0x483 [0281.136] _wcsnicmp (_String1="NET stop BMR Boot", _String2="SYNTAX\r\nThe follo", _MaxCount=0x11) returned -5 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౙ") returned 0xa86 [0281.136] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NAMES\r\nThe follow", _MaxCount=0x11) returned 4 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౜") returned 0x54 [0281.136] _wcsnicmp (_String1="NET stop BMR Boot", _String2="\r\nFor more inform", _MaxCount=0x11) returned 97 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௼") returned 0xad [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET ACCOUNTS", _MaxCount=0xc) returned 18 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௿") returned 0x2e [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET COMPUTER", _MaxCount=0xc) returned 16 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bం") returned 0x7d [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONFIG S", _MaxCount=0xc) returned 16 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఅ") returned 0x26 [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONFIG\r\n", _MaxCount=0xc) returned 16 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఈ") returned 0x19 [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONTINUE", _MaxCount=0xc) returned 16 [0281.136] LocalFree (hMem=0x2593f30) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఋ") returned 0x1b [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET FILE\r\n[i", _MaxCount=0xc) returned 13 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఎ") returned 0xbe [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET GROUP\r\n[", _MaxCount=0xc) returned 12 [0281.136] LocalFree (hMem=0x25a0530) returned 0x0 [0281.136] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b఑") returned 0x33 [0281.136] _wcsnicmp (_String1="NET stop BMR", _String2="NET HELP\r\nco", _MaxCount=0xc) returned 11 [0281.137] LocalFree (hMem=0x25a0530) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఔ") returned 0x19 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET HELPMSG\r", _MaxCount=0xc) returned 11 [0281.137] LocalFree (hMem=0x2593f30) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bగ") returned 0xc1 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET LOCALGRO", _MaxCount=0xc) returned 7 [0281.137] LocalFree (hMem=0x25a0530) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bచ") returned 0x16 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET PAUSE\r\ns", _MaxCount=0xc) returned 3 [0281.137] LocalFree (hMem=0x2593a50) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఝ") returned 0x33 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET SESSION\r", _MaxCount=0xc) returned 15 [0281.137] LocalFree (hMem=0x25a0530) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఠ") returned 0x234 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET SHARE\r\ns", _MaxCount=0xc) returned 12 [0281.137] LocalFree (hMem=0x25a0530) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bణ") returned 0x13 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START BR", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x25947d0) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bద") returned 0x14 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START EV", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x25940f8) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1b఩") returned 0x14 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START NE", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x25940f8) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㤈əɇ蛬\x1bబ") returned 0x11 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START RP", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x2593908) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bయ") returned 0x14 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START SC", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x25940f8) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bల") returned 0x12 [0281.137] _wcsnicmp (_String1="NET stop BMR", _String2="NET START SE", _MaxCount=0xc) returned 14 [0281.137] LocalFree (hMem=0x25947d0) returned 0x0 [0281.137] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䖨əɇ蛬\x1bవ") returned 0xf [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET START UP", _MaxCount=0xc) returned 14 [0281.138] LocalFree (hMem=0x25945a8) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bస") returned 0x17 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET START WO", _MaxCount=0xc) returned 14 [0281.138] LocalFree (hMem=0x2593a50) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1b఻") returned 0x18 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET START\r\n[", _MaxCount=0xc) returned 14 [0281.138] LocalFree (hMem=0x2593a50) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bా") returned 0x21 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET STATISTI", _MaxCount=0xc) returned 14 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bు") returned 0x15 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET STOP\r\nse", _MaxCount=0xc) returned 19 [0281.138] LocalFree (hMem=0x2593a50) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౄ") returned 0x58 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET TIME\r\n\r\n", _MaxCount=0xc) returned -1 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bే") returned 0x184 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET USE\r\n[de", _MaxCount=0xc) returned -2 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bొ") returned 0xf0 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET USER\r\n[u", _MaxCount=0xc) returned -2 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b్") returned 0x47 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET VIEW\r\n[\\", _MaxCount=0xc) returned -3 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౐") returned 0xc2 [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="NET\r\n [ A", _MaxCount=0xc) returned 19 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౓") returned 0x28d [0281.138] _wcsnicmp (_String1="NET stop BMR", _String2="SERVICES\r\nNE", _MaxCount=0xc) returned -5 [0281.138] LocalFree (hMem=0x25a0530) returned 0x0 [0281.138] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౖ") returned 0x483 [0281.139] _wcsnicmp (_String1="NET stop BMR", _String2="SYNTAX\r\nThe ", _MaxCount=0xc) returned -5 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bౙ") returned 0xa86 [0281.139] _wcsnicmp (_String1="NET stop BMR", _String2="NAMES\r\nThe f", _MaxCount=0xc) returned 4 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b౜") returned 0x54 [0281.139] _wcsnicmp (_String1="NET stop BMR", _String2="\r\nFor more i", _MaxCount=0xc) returned 97 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௼") returned 0xad [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b௿") returned 0x2e [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bం") returned 0x7d [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఅ") returned 0x26 [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఈ") returned 0x19 [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0281.139] LocalFree (hMem=0x2593f30) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఋ") returned 0x1b [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bఎ") returned 0xbe [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1b఑") returned 0x33 [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0281.139] LocalFree (hMem=0x25a0530) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㼰əɇ蛬\x1bఔ") returned 0x19 [0281.139] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0281.139] LocalFree (hMem=0x2593f30) returned 0x0 [0281.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="԰ɚɇ蛬\x1bగ") returned 0xc1 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0281.140] LocalFree (hMem=0x25a0530) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bచ") returned 0x16 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0281.140] LocalFree (hMem=0x25940f8) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="ᔸɚɇ蛬\x1bఝ") returned 0x33 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0281.140] LocalFree (hMem=0x25a1538) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="ᔸɚɇ蛬\x1bఠ") returned 0x234 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0281.140] LocalFree (hMem=0x25a1538) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bణ") returned 0x13 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25947d0) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bద") returned 0x14 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25940f8) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1b఩") returned 0x14 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25940f8) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㤈əɇ蛬\x1bబ") returned 0x11 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x2593908) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bయ") returned 0x14 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25940f8) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䟐əɇ蛬\x1bల") returned 0x12 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25947d0) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䖨əɇ蛬\x1bవ") returned 0xf [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x25945a8) returned 0x0 [0281.140] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1bస") returned 0x17 [0281.140] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.140] LocalFree (hMem=0x2593a50) returned 0x0 [0281.141] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="㩐əɇ蛬\x1b఻") returned 0x18 [0281.141] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.141] LocalFree (hMem=0x2593a50) returned 0x0 [0281.141] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="ᔸɚɇ蛬\x1bా") returned 0x21 [0281.141] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0281.141] LocalFree (hMem=0x25a1538) returned 0x0 [0281.141] FormatMessageW (in: dwFlags=0x1900, lpSource=0x21e0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x247f054, nSize=0x0, Arguments=0x247f050 | out: lpBuffer="䃸əɇ蛬\x1bు") returned 0x15 [0281.141] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0281.141] GetFileType (hFile=0x94) returned 0x2 [0281.141] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x247f050 | out: lpMode=0x247f050) returned 1 [0281.190] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x25940f8*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x247f054, lpReserved=0x0 | out: lpBuffer=0x25940f8*, lpNumberOfCharsWritten=0x247f054*=0x15) returned 1 [0281.284] LocalFree (hMem=0x25940f8) returned 0x0 [0281.284] NetApiBufferFree (Buffer=0x2597d80) returned 0x0 [0281.284] NetApiBufferFree (Buffer=0x2597d68) returned 0x0 [0281.284] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" [0281.284] exit (_Code=1) Thread: id = 45 os_tid = 0x10b0 Process: id = "16" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5b9af000" os_pid = "0x10a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop NetBackup BMR MTFTP Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x10a4 Thread: id = 50 os_tid = 0x10ec Process: id = "17" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3b394000" os_pid = "0x110c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x10a8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 47 os_tid = 0x10ac Thread: id = 48 os_tid = 0x10e4 Thread: id = 49 os_tid = 0x10e0 Process: id = "18" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5b193000" os_pid = "0x1110" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x10a8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 51 os_tid = 0x112c [0281.916] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0281.916] __set_app_type (_Type=0x1) [0281.916] __p__fmode () returned 0x776f3c14 [0281.917] __p__commode () returned 0x776f49ec [0281.917] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0281.917] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0281.917] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0281.917] GetConsoleOutputCP () returned 0x1b5 [0281.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0281.917] SetThreadUILanguage (LangId=0x0) returned 0x2f30409 [0281.920] sprintf_s (in: _DstBuf=0x2dafa70, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0281.920] setlocale (category=0, locale=".437") returned="English_United States.437" [0281.922] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0281.922] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0281.922] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" [0281.922] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2daf818, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0281.922] RtlAllocateHeap (HeapHandle=0x31f0000, Flags=0x0, Size=0x96) returned 0x31f47e8 [0281.922] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0281.922] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2daf814 | out: Buffer=0x2daf814*=0x31f7dc8) returned 0x0 [0281.922] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2daf810 | out: Buffer=0x2daf810*=0x31f7de0) returned 0x0 [0281.922] __iob_func () returned 0x776f2608 [0281.922] _fileno (_File=0x776f2608) returned 0 [0281.922] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0281.922] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0281.922] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0281.922] _wcsicmp (_String1="config", _String2="stop") returned -16 [0281.922] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0281.922] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0281.922] _wcsicmp (_String1="file", _String2="stop") returned -13 [0281.922] _wcsicmp (_String1="files", _String2="stop") returned -13 [0281.922] _wcsicmp (_String1="group", _String2="stop") returned -12 [0281.922] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0281.922] _wcsicmp (_String1="help", _String2="stop") returned -11 [0281.922] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0281.922] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0281.922] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0281.922] _wcsicmp (_String1="session", _String2="stop") returned -15 [0281.923] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0281.923] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0281.923] _wcsicmp (_String1="share", _String2="stop") returned -12 [0281.923] _wcsicmp (_String1="start", _String2="stop") returned -14 [0281.923] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0281.923] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0281.923] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0281.923] _wcsicmp (_String1="accounts", _String2="NetBackup") returned -13 [0281.923] _wcsicmp (_String1="computer", _String2="NetBackup") returned -11 [0281.923] _wcsicmp (_String1="config", _String2="NetBackup") returned -11 [0281.923] _wcsicmp (_String1="continue", _String2="NetBackup") returned -11 [0281.923] _wcsicmp (_String1="cont", _String2="NetBackup") returned -11 [0281.923] _wcsicmp (_String1="file", _String2="NetBackup") returned -8 [0281.923] _wcsicmp (_String1="files", _String2="NetBackup") returned -8 [0281.923] _wcsicmp (_String1="group", _String2="NetBackup") returned -7 [0281.923] _wcsicmp (_String1="groups", _String2="NetBackup") returned -7 [0281.923] _wcsicmp (_String1="help", _String2="NetBackup") returned -6 [0281.923] _wcsicmp (_String1="helpmsg", _String2="NetBackup") returned -6 [0281.923] _wcsicmp (_String1="localgroup", _String2="NetBackup") returned -2 [0281.923] _wcsicmp (_String1="pause", _String2="NetBackup") returned 2 [0281.923] _wcsicmp (_String1="session", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="sessions", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="sess", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="share", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="start", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="stats", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="statistics", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="stop", _String2="NetBackup") returned 5 [0281.923] _wcsicmp (_String1="time", _String2="NetBackup") returned 6 [0281.923] _wcsicmp (_String1="user", _String2="NetBackup") returned 7 [0281.923] _wcsicmp (_String1="users", _String2="NetBackup") returned 7 [0281.923] _wcsicmp (_String1="msg", _String2="NetBackup") returned -1 [0281.923] _wcsicmp (_String1="messenger", _String2="NetBackup") returned -1 [0281.923] _wcsicmp (_String1="receiver", _String2="NetBackup") returned 4 [0281.923] _wcsicmp (_String1="rcv", _String2="NetBackup") returned 4 [0281.924] _wcsicmp (_String1="netpopup", _String2="NetBackup") returned 14 [0281.924] _wcsicmp (_String1="redirector", _String2="NetBackup") returned 4 [0281.924] _wcsicmp (_String1="redir", _String2="NetBackup") returned 4 [0281.924] _wcsicmp (_String1="rdr", _String2="NetBackup") returned 4 [0281.924] _wcsicmp (_String1="workstation", _String2="NetBackup") returned 9 [0281.924] _wcsicmp (_String1="work", _String2="NetBackup") returned 9 [0281.924] _wcsicmp (_String1="wksta", _String2="NetBackup") returned 9 [0281.924] _wcsicmp (_String1="prdr", _String2="NetBackup") returned 2 [0281.924] _wcsicmp (_String1="devrdr", _String2="NetBackup") returned -10 [0281.924] _wcsicmp (_String1="lanmanworkstation", _String2="NetBackup") returned -2 [0281.924] _wcsicmp (_String1="server", _String2="NetBackup") returned 5 [0281.924] _wcsicmp (_String1="svr", _String2="NetBackup") returned 5 [0281.924] _wcsicmp (_String1="srv", _String2="NetBackup") returned 5 [0281.924] _wcsicmp (_String1="lanmanserver", _String2="NetBackup") returned -2 [0281.924] _wcsicmp (_String1="alerter", _String2="NetBackup") returned -13 [0281.924] _wcsicmp (_String1="netlogon", _String2="NetBackup") returned 10 [0281.924] _wcsicmp (_String1="accounts", _String2="BMR") returned -1 [0281.924] _wcsicmp (_String1="computer", _String2="BMR") returned 1 [0281.924] _wcsicmp (_String1="config", _String2="BMR") returned 1 [0281.924] _wcsicmp (_String1="continue", _String2="BMR") returned 1 [0281.924] _wcsicmp (_String1="cont", _String2="BMR") returned 1 [0281.924] _wcsicmp (_String1="file", _String2="BMR") returned 4 [0281.924] _wcsicmp (_String1="files", _String2="BMR") returned 4 [0281.924] _wcsicmp (_String1="group", _String2="BMR") returned 5 [0281.924] _wcsicmp (_String1="groups", _String2="BMR") returned 5 [0281.924] _wcsicmp (_String1="help", _String2="BMR") returned 6 [0281.924] _wcsicmp (_String1="helpmsg", _String2="BMR") returned 6 [0281.924] _wcsicmp (_String1="localgroup", _String2="BMR") returned 10 [0281.925] _wcsicmp (_String1="pause", _String2="BMR") returned 14 [0281.925] _wcsicmp (_String1="session", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="sessions", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="sess", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="share", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="start", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="stats", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="statistics", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="stop", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="time", _String2="BMR") returned 18 [0281.925] _wcsicmp (_String1="user", _String2="BMR") returned 19 [0281.925] _wcsicmp (_String1="users", _String2="BMR") returned 19 [0281.925] _wcsicmp (_String1="msg", _String2="BMR") returned 11 [0281.925] _wcsicmp (_String1="messenger", _String2="BMR") returned 11 [0281.925] _wcsicmp (_String1="receiver", _String2="BMR") returned 16 [0281.925] _wcsicmp (_String1="rcv", _String2="BMR") returned 16 [0281.925] _wcsicmp (_String1="netpopup", _String2="BMR") returned 12 [0281.925] _wcsicmp (_String1="redirector", _String2="BMR") returned 16 [0281.925] _wcsicmp (_String1="redir", _String2="BMR") returned 16 [0281.925] _wcsicmp (_String1="rdr", _String2="BMR") returned 16 [0281.925] _wcsicmp (_String1="workstation", _String2="BMR") returned 21 [0281.925] _wcsicmp (_String1="work", _String2="BMR") returned 21 [0281.925] _wcsicmp (_String1="wksta", _String2="BMR") returned 21 [0281.925] _wcsicmp (_String1="prdr", _String2="BMR") returned 14 [0281.925] _wcsicmp (_String1="devrdr", _String2="BMR") returned 2 [0281.925] _wcsicmp (_String1="lanmanworkstation", _String2="BMR") returned 10 [0281.925] _wcsicmp (_String1="server", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="svr", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="srv", _String2="BMR") returned 17 [0281.925] _wcsicmp (_String1="lanmanserver", _String2="BMR") returned 10 [0281.925] _wcsicmp (_String1="alerter", _String2="BMR") returned -1 [0281.925] _wcsicmp (_String1="netlogon", _String2="BMR") returned 12 [0281.925] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0281.925] SetThreadUILanguage (LangId=0x0) returned 0x2f30409 [0281.926] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0x2df0002 [0281.927] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x2daf2e8, nSize=0x0, Arguments=0x2daf2e4 | out: lpBuffer="̨̠˚觘\x1bౝ") returned 0xff [0281.928] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0281.928] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.928] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0281.928] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0281.928] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3200328 | out: _String=0x0, _Context=0x3200328) returned=" CONT" [0281.928] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.928] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0281.928] _wcsicmp (_String1="CONT", _String2="NetBackup") returned -11 [0281.928] _wcsicmp (_String1="CONT", _String2="BMR") returned 1 [0281.928] _wcsicmp (_String1="CONT", _String2="MTFTP") returned -10 [0281.928] _wcsicmp (_String1="CONT", _String2="Service") returned -16 [0281.928] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.928] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0281.928] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.928] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x320034e | out: _String=0x0, _Context=0x320034e) returned=" FILES" [0281.928] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.928] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0281.928] _wcsicmp (_String1="FILES", _String2="NetBackup") returned -8 [0281.928] _wcsicmp (_String1="FILES", _String2="BMR") returned 4 [0281.929] _wcsicmp (_String1="FILES", _String2="MTFTP") returned -7 [0281.929] _wcsicmp (_String1="FILES", _String2="Service") returned -13 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.929] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0281.929] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3200372 | out: _String=0x0, _Context=0x3200372) returned=" GROUPS" [0281.929] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.929] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0281.929] _wcsicmp (_String1="GROUPS", _String2="NetBackup") returned -7 [0281.929] _wcsicmp (_String1="GROUPS", _String2="BMR") returned 5 [0281.929] _wcsicmp (_String1="GROUPS", _String2="MTFTP") returned -6 [0281.929] _wcsicmp (_String1="GROUPS", _String2="Service") returned -12 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.929] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0281.929] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x320039a | out: _String=0x0, _Context=0x320039a) returned=" REPL" [0281.929] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.929] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0281.929] _wcsicmp (_String1="REPL", _String2="NetBackup") returned 4 [0281.929] _wcsicmp (_String1="REPL", _String2="BMR") returned 16 [0281.929] _wcsicmp (_String1="REPL", _String2="MTFTP") returned 5 [0281.929] _wcsicmp (_String1="REPL", _String2="Service") returned -1 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0281.929] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.929] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0281.929] _wcsicmp (_String1="REPLICATOR", _String2="NetBackup") returned 4 [0281.929] _wcsicmp (_String1="REPLICATOR", _String2="BMR") returned 16 [0281.929] _wcsicmp (_String1="REPLICATOR", _String2="MTFTP") returned 5 [0281.929] _wcsicmp (_String1="REPLICATOR", _String2="Service") returned -1 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.929] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0281.929] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.929] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x32003d8 | out: _String=0x0, _Context=0x32003d8) returned=" SESSIONS" [0281.929] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.929] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0281.929] _wcsicmp (_String1="SESSIONS", _String2="NetBackup") returned 5 [0281.930] _wcsicmp (_String1="SESSIONS", _String2="BMR") returned 17 [0281.930] _wcsicmp (_String1="SESSIONS", _String2="MTFTP") returned 6 [0281.930] _wcsicmp (_String1="SESSIONS", _String2="Service") returned 1 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0281.930] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.930] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0281.930] _wcsicmp (_String1="SESS", _String2="NetBackup") returned 5 [0281.930] _wcsicmp (_String1="SESS", _String2="BMR") returned 17 [0281.930] _wcsicmp (_String1="SESS", _String2="MTFTP") returned 6 [0281.930] _wcsicmp (_String1="SESS", _String2="Service") returned 1 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.930] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0281.930] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3200414 | out: _String=0x0, _Context=0x3200414) returned=" STATS" [0281.930] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.930] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0281.930] _wcsicmp (_String1="STATS", _String2="NetBackup") returned 5 [0281.930] _wcsicmp (_String1="STATS", _String2="BMR") returned 17 [0281.930] _wcsicmp (_String1="STATS", _String2="MTFTP") returned 6 [0281.930] _wcsicmp (_String1="STATS", _String2="Service") returned 15 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.930] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0281.930] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3200444 | out: _String=0x0, _Context=0x3200444) returned=" USERS" [0281.930] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.930] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0281.930] _wcsicmp (_String1="USERS", _String2="NetBackup") returned 7 [0281.930] _wcsicmp (_String1="USERS", _String2="BMR") returned 19 [0281.930] _wcsicmp (_String1="USERS", _String2="MTFTP") returned 8 [0281.930] _wcsicmp (_String1="USERS", _String2="Service") returned 2 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.930] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0281.930] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.930] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3200468 | out: _String=0x0, _Context=0x3200468) returned=" REDIRECTOR" [0281.930] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.930] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0281.931] _wcsicmp (_String1="REDIRECTOR", _String2="NetBackup") returned 4 [0281.931] _wcsicmp (_String1="REDIRECTOR", _String2="BMR") returned 16 [0281.931] _wcsicmp (_String1="REDIRECTOR", _String2="MTFTP") returned 5 [0281.931] _wcsicmp (_String1="REDIRECTOR", _String2="Service") returned -1 [0281.931] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0281.931] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.931] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0281.931] _wcsicmp (_String1="REDIR", _String2="NetBackup") returned 4 [0281.931] _wcsicmp (_String1="REDIR", _String2="BMR") returned 16 [0281.931] _wcsicmp (_String1="REDIR", _String2="MTFTP") returned 5 [0281.931] _wcsicmp (_String1="REDIR", _String2="Service") returned -1 [0281.931] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0281.931] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.931] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0281.931] _wcsicmp (_String1="RDR", _String2="NetBackup") returned 4 [0281.931] _wcsicmp (_String1="RDR", _String2="BMR") returned 16 [0281.931] _wcsicmp (_String1="RDR", _String2="MTFTP") returned 5 [0281.931] _wcsicmp (_String1="RDR", _String2="Service") returned -1 [0281.931] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0281.931] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.931] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0281.931] _wcsicmp (_String1="WORK", _String2="NetBackup") returned 9 [0281.931] _wcsicmp (_String1="WORK", _String2="BMR") returned 21 [0281.931] _wcsicmp (_String1="WORK", _String2="MTFTP") returned 10 [0281.931] _wcsicmp (_String1="WORK", _String2="Service") returned 4 [0281.931] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0281.931] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.931] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0281.931] _wcsicmp (_String1="WKSTA", _String2="NetBackup") returned 9 [0281.931] _wcsicmp (_String1="WKSTA", _String2="BMR") returned 21 [0281.931] _wcsicmp (_String1="WKSTA", _String2="MTFTP") returned 10 [0281.931] _wcsicmp (_String1="WKSTA", _String2="Service") returned 4 [0281.931] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0281.931] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.931] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0281.931] _wcsicmp (_String1="PRDR", _String2="NetBackup") returned 2 [0281.931] _wcsicmp (_String1="PRDR", _String2="BMR") returned 14 [0281.932] _wcsicmp (_String1="PRDR", _String2="MTFTP") returned 3 [0281.932] _wcsicmp (_String1="PRDR", _String2="Service") returned -3 [0281.932] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0281.932] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0281.932] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0281.932] _wcsicmp (_String1="DEVRDR", _String2="NetBackup") returned -10 [0281.932] _wcsicmp (_String1="DEVRDR", _String2="BMR") returned 2 [0281.932] _wcsicmp (_String1="DEVRDR", _String2="MTFTP") returned -9 [0281.932] _wcsicmp (_String1="DEVRDR", _String2="Service") returned -15 [0281.932] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.932] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0281.932] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.932] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x32004f2 | out: _String=0x0, _Context=0x32004f2) returned=" SVR" [0281.932] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0281.932] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0281.932] _wcsicmp (_String1="SVR", _String2="NetBackup") returned 5 [0281.932] _wcsicmp (_String1="SVR", _String2="BMR") returned 17 [0281.932] _wcsicmp (_String1="SVR", _String2="MTFTP") returned 6 [0281.932] _wcsicmp (_String1="SVR", _String2="Service") returned 17 [0281.932] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0281.932] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.932] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0281.932] _wcsicmp (_String1="SRV", _String2="NetBackup") returned 5 [0281.932] _wcsicmp (_String1="SRV", _String2="BMR") returned 17 [0281.932] _wcsicmp (_String1="SRV", _String2="MTFTP") returned 6 [0281.932] _wcsicmp (_String1="SRV", _String2="Service") returned 13 [0281.932] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.932] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x2daf2e8, nSize=0x0, Arguments=0x2daf2e4 | out: lpBuffer="䧀̟˚警\x1b౞") returned 0x1c [0281.932] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0281.932] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0281.932] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0281.932] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0281.932] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0281.932] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0281.932] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0281.932] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.933] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0281.933] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0281.933] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0281.933] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0281.933] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x31b0002 [0281.933] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x31b0002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0281.934] GetFileType (hFile=0x94) returned 0x2 [0281.934] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2daf2b0 | out: lpMode=0x2daf2b0) returned 1 [0281.934] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x2daf2bc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2daf2bc*=0x20) returned 1 [0281.935] GetFileType (hFile=0x94) returned 0x2 [0281.935] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2daf2b0 | out: lpMode=0x2daf2b0) returned 1 [0281.935] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2daf2bc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2daf2bc*=0x2) returned 1 [0281.935] wcscpy_s (in: _Destination=0x2daf358, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0281.935] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0281.935] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0281.935] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0281.935] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="NetBackup", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup") returned 0x0 [0281.935] wcsncat_s (in: _Destination="NET stop NetBackup", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup ") returned 0x0 [0281.936] wcsncat_s (in: _Destination="NET stop NetBackup ", _SizeInWords=0x200, _Source="BMR", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR") returned 0x0 [0281.936] wcsncat_s (in: _Destination="NET stop NetBackup BMR", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR ") returned 0x0 [0281.936] wcsncat_s (in: _Destination="NET stop NetBackup BMR ", _SizeInWords=0x200, _Source="MTFTP", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP") returned 0x0 [0281.936] wcsncat_s (in: _Destination="NET stop NetBackup BMR MTFTP", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP ") returned 0x0 [0281.936] wcsncat_s (in: _Destination="NET stop NetBackup BMR MTFTP ", _SizeInWords=0x200, _Source="Service", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP Service") returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௼") returned 0xad [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes", _MaxCount=0x24) returned 18 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௿") returned 0x2e [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET COMPUTER\r\n\\\\computername {/ADD |", _MaxCount=0x24) returned 16 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bం") returned 0x7d [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:", _MaxCount=0x24) returned 16 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఅ") returned 0x26 [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n", _MaxCount=0x24) returned 16 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఈ") returned 0x19 [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 16 [0281.936] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఋ") returned 0x1b [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x24) returned 13 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఎ") returned 0xbe [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET GROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x24) returned 12 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b఑") returned 0x33 [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET co", _MaxCount=0x24) returned 11 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఔ") returned 0x19 [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x24) returned 11 [0281.936] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.936] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bగ") returned 0xc1 [0281.936] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT", _MaxCount=0x24) returned 7 [0281.936] LocalFree (hMem=0x3200530) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bచ") returned 0x16 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 3 [0281.937] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఝ") returned 0x33 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET SESSION\r\n[\\\\computername] [/DELE", _MaxCount=0x24) returned 15 [0281.937] LocalFree (hMem=0x3200530) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఠ") returned 0x234 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET SHARE\r\nsharename\r\n shar", _MaxCount=0x24) returned 12 [0281.937] LocalFree (hMem=0x3200530) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bణ") returned 0x13 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START BROWSER\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bద") returned 0x14 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START EVENTLOG\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1b఩") returned 0x14 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START NETLOGON\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="㤠̟˚蛬\x1bబ") returned 0x11 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START RPCSS\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f3920) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bయ") returned 0x14 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START SCHEDULE\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bల") returned 0x12 [0281.937] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START SERVER\r\n", _MaxCount=0x24) returned 14 [0281.937] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.937] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䗀̟˚蛬\x1bవ") returned 0xf [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START UPS\r\n", _MaxCount=0x24) returned 14 [0281.938] LocalFree (hMem=0x31f45c0) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bస") returned 0x17 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START WORKSTATION\r\n", _MaxCount=0x24) returned 14 [0281.938] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1b఻") returned 0x18 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x24) returned 14 [0281.938] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bా") returned 0x21 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET STATISTICS\r\n[WORKSTATION]\r\n\r\n", _MaxCount=0x24) returned 14 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bు") returned 0x15 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x24) returned 19 [0281.938] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౄ") returned 0x58 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAI", _MaxCount=0x24) returned -1 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bే") returned 0x184 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET USE\r\n[devicename | *] [\\\\compute", _MaxCount=0x24) returned -2 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bొ") returned 0xf0 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET USER\r\n[username [password | *] [", _MaxCount=0x24) returned -2 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b్") returned 0x47 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET VIEW\r\n[\\\\computername [/CACHE] |", _MaxCount=0x24) returned -3 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౐") returned 0xc2 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CON", _MaxCount=0x24) returned 19 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౓") returned 0x28d [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="SERVICES\r\nNET START can be used to s", _MaxCount=0x24) returned -5 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౖ") returned 0x483 [0281.938] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="SYNTAX\r\nThe following conventions ar", _MaxCount=0x24) returned -5 [0281.938] LocalFree (hMem=0x3200530) returned 0x0 [0281.938] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౙ") returned 0xa86 [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NAMES\r\nThe following types of names ", _MaxCount=0x24) returned 4 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౜") returned 0x54 [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="\r\nFor more information on tools see ", _MaxCount=0x24) returned 97 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௼") returned 0xad [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:", _MaxCount=0x1c) returned 18 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௿") returned 0x2e [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET COMPUTER\r\n\\\\computername", _MaxCount=0x1c) returned 16 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bం") returned 0x7d [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONFIG SERVER\r\n[/AUTODIS", _MaxCount=0x1c) returned 16 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఅ") returned 0x26 [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONFIG\r\n[SERVER | WORKST", _MaxCount=0x1c) returned 16 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఈ") returned 0x19 [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 16 [0281.939] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఋ") returned 0x1b [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1c) returned 13 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఎ") returned 0xbe [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET GROUP\r\n[groupname [/COMM", _MaxCount=0x1c) returned 12 [0281.939] LocalFree (hMem=0x3200530) returned 0x0 [0281.939] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b఑") returned 0x33 [0281.939] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET HELP\r\ncommand\r\n -or-", _MaxCount=0x1c) returned 11 [0281.940] LocalFree (hMem=0x3200530) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఔ") returned 0x19 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1c) returned 11 [0281.940] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bగ") returned 0xc1 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET LOCALGROUP\r\n[groupname [", _MaxCount=0x1c) returned 7 [0281.940] LocalFree (hMem=0x3200530) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bచ") returned 0x16 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 3 [0281.940] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఝ") returned 0x33 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET SESSION\r\n[\\\\computername", _MaxCount=0x1c) returned 15 [0281.940] LocalFree (hMem=0x3200530) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఠ") returned 0x234 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1c) returned 12 [0281.940] LocalFree (hMem=0x3200530) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bణ") returned 0x13 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START BROWSER\r\n", _MaxCount=0x1c) returned 14 [0281.940] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bద") returned 0x14 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1c) returned 14 [0281.940] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1b఩") returned 0x14 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START NETLOGON\r\n", _MaxCount=0x1c) returned 14 [0281.940] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.940] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="㤠̟˚蛬\x1bబ") returned 0x11 [0281.940] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START RPCSS\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f3920) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bయ") returned 0x14 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bల") returned 0x12 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START SERVER\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䗀̟˚蛬\x1bవ") returned 0xf [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START UPS\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f45c0) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bస") returned 0x17 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1b఻") returned 0x18 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bా") returned 0x21 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET STATISTICS\r\n[WORKSTATION", _MaxCount=0x1c) returned 14 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bు") returned 0x15 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 19 [0281.941] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౄ") returned 0x58 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET TIME\r\n\r\n[\\\\computername ", _MaxCount=0x1c) returned -1 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bే") returned 0x184 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET USE\r\n[devicename | *] [\\", _MaxCount=0x1c) returned -2 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bొ") returned 0xf0 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET USER\r\n[username [passwor", _MaxCount=0x1c) returned -2 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b్") returned 0x47 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET VIEW\r\n[\\\\computername [/", _MaxCount=0x1c) returned -3 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౐") returned 0xc2 [0281.941] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET\r\n [ ACCOUNTS | COMPUT", _MaxCount=0x1c) returned 19 [0281.941] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౓") returned 0x28d [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="SERVICES\r\nNET START can be u", _MaxCount=0x1c) returned -5 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౖ") returned 0x483 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="SYNTAX\r\nThe following conven", _MaxCount=0x1c) returned -5 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౙ") returned 0xa86 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NAMES\r\nThe following types o", _MaxCount=0x1c) returned 4 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౜") returned 0x54 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="\r\nFor more information on to", _MaxCount=0x1c) returned 97 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௼") returned 0xad [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௿") returned 0x2e [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bం") returned 0x7d [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఅ") returned 0x26 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఈ") returned 0x19 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0281.942] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఋ") returned 0x1b [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఎ") returned 0xbe [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0281.942] LocalFree (hMem=0x3200530) returned 0x0 [0281.942] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b఑") returned 0x33 [0281.942] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0281.943] LocalFree (hMem=0x3200530) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఔ") returned 0x19 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0281.943] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bగ") returned 0xc1 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0281.943] LocalFree (hMem=0x3200530) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bచ") returned 0x16 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0281.943] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఝ") returned 0x33 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0281.943] LocalFree (hMem=0x3200530) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఠ") returned 0x234 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0281.943] LocalFree (hMem=0x3200530) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bణ") returned 0x13 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bద") returned 0x14 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1b఩") returned 0x14 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START NETLOGON\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="㤠̟˚蛬\x1bబ") returned 0x11 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f3920) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bయ") returned 0x14 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bల") returned 0x12 [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.943] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䗀̟˚蛬\x1bవ") returned 0xf [0281.943] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0281.943] LocalFree (hMem=0x31f45c0) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bస") returned 0x17 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0281.944] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1b఻") returned 0x18 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0281.944] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bా") returned 0x21 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bు") returned 0x15 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0281.944] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౄ") returned 0x58 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bే") returned 0x184 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bొ") returned 0xf0 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b్") returned 0x47 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౐") returned 0xc2 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౓") returned 0x28d [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౖ") returned 0x483 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.944] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bౙ") returned 0xa86 [0281.944] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0281.944] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b౜") returned 0x54 [0281.945] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௼") returned 0xad [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b௿") returned 0x2e [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bం") returned 0x7d [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఅ") returned 0x26 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఈ") returned 0x19 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0281.945] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఋ") returned 0x1b [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bఎ") returned 0xbe [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1b఑") returned 0x33 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఔ") returned 0x19 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0281.945] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="԰̠˚蛬\x1bగ") returned 0xc1 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0281.945] LocalFree (hMem=0x3200530) returned 0x0 [0281.945] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bచ") returned 0x16 [0281.945] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0281.945] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="ᔸ̠˚蛬\x1bఝ") returned 0x33 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0281.946] LocalFree (hMem=0x3201538) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="ᔸ̠˚蛬\x1bఠ") returned 0x234 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0281.946] LocalFree (hMem=0x3201538) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bణ") returned 0x13 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bద") returned 0x14 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1b఩") returned 0x14 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START NETLOGON", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="㤠̟˚蛬\x1bబ") returned 0x11 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f3920) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bయ") returned 0x14 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bల") returned 0x12 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䗀̟˚蛬\x1bవ") returned 0xf [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f45c0) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bస") returned 0x17 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1b఻") returned 0x18 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="ᔸ̠˚蛬\x1bా") returned 0x21 [0281.946] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0281.946] LocalFree (hMem=0x3201538) returned 0x0 [0281.946] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bు") returned 0x15 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0281.947] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bౄ") returned 0x58 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bే") returned 0x184 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bొ") returned 0xf0 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b్") returned 0x47 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b౐") returned 0xc2 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b౓") returned 0x28d [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bౖ") returned 0x483 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bౙ") returned 0xa86 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b౜") returned 0x54 [0281.947] _wcsnicmp (_String1="NET stop NetBackup", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.947] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b௼") returned 0xad [0281.947] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0281.947] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b௿") returned 0x2e [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bం") returned 0x7d [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bఅ") returned 0x26 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఈ") returned 0x19 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0281.948] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bఋ") returned 0x1b [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bఎ") returned 0xbe [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1b఑") returned 0x33 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="鼨̟˚蛬\x1bఔ") returned 0x19 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0281.948] LocalFree (hMem=0x31f9f28) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bగ") returned 0xc1 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bచ") returned 0x16 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0281.948] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bఝ") returned 0x33 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.948] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="╀̠˚蛬\x1bఠ") returned 0x234 [0281.948] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0281.948] LocalFree (hMem=0x3202540) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bణ") returned 0x13 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bద") returned 0x14 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1b఩") returned 0x14 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bబ") returned 0x11 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bయ") returned 0x14 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䨈̟˚蛬\x1bల") returned 0x12 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f4a08) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="䗀̟˚蛬\x1bవ") returned 0xf [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f45c0) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1bస") returned 0x17 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="赠̟˚蛬\x1b఻") returned 0x18 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x31f8d60) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="㕈̠˚蛬\x1bా") returned 0x21 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0281.949] LocalFree (hMem=0x3203548) returned 0x0 [0281.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x2df0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2daf2cc, nSize=0x0, Arguments=0x2daf2c8 | out: lpBuffer="軈̟˚蛬\x1bు") returned 0x15 [0281.949] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0281.949] GetFileType (hFile=0x94) returned 0x2 [0281.949] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2daf2c8 | out: lpMode=0x2daf2c8) returned 1 [0281.950] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x31f8ec8*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x2daf2cc, lpReserved=0x0 | out: lpBuffer=0x31f8ec8*, lpNumberOfCharsWritten=0x2daf2cc*=0x15) returned 1 [0281.950] LocalFree (hMem=0x31f8ec8) returned 0x0 [0281.950] NetApiBufferFree (Buffer=0x31f7dc8) returned 0x0 [0281.950] NetApiBufferFree (Buffer=0x31f7de0) returned 0x0 [0281.950] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" [0281.950] exit (_Code=1) Thread: id = 52 os_tid = 0x10f0 Process: id = "19" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x751b2000" os_pid = "0x10f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop DefWatch /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 53 os_tid = 0x125c Thread: id = 57 os_tid = 0x6d8 Process: id = "20" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5ae2a000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x10f8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0xdcc Thread: id = 55 os_tid = 0xdb8 Thread: id = 56 os_tid = 0x6ec Process: id = "21" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5aaa8000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x10f8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop DefWatch /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 58 os_tid = 0xdfc [0282.301] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0282.301] __set_app_type (_Type=0x1) [0282.301] __p__fmode () returned 0x776f3c14 [0282.301] __p__commode () returned 0x776f49ec [0282.301] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0282.301] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0282.301] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0282.301] GetConsoleOutputCP () returned 0x1b5 [0282.302] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0282.302] SetThreadUILanguage (LangId=0x0) returned 0x2740409 [0282.305] sprintf_s (in: _DstBuf=0x25efa84, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0282.305] setlocale (category=0, locale=".437") returned="English_United States.437" [0282.306] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0282.306] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0282.306] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop DefWatch /y" [0282.306] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25ef82c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0282.307] RtlAllocateHeap (HeapHandle=0x2a50000, Flags=0x0, Size=0x64) returned 0x2a54398 [0282.307] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0282.307] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25ef828 | out: Buffer=0x25ef828*=0x2a585a8) returned 0x0 [0282.307] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25ef824 | out: Buffer=0x25ef824*=0x2a58608) returned 0x0 [0282.307] __iob_func () returned 0x776f2608 [0282.307] _fileno (_File=0x776f2608) returned 0 [0282.307] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0282.307] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0282.307] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0282.307] _wcsicmp (_String1="config", _String2="stop") returned -16 [0282.307] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0282.307] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0282.307] _wcsicmp (_String1="file", _String2="stop") returned -13 [0282.307] _wcsicmp (_String1="files", _String2="stop") returned -13 [0282.307] _wcsicmp (_String1="group", _String2="stop") returned -12 [0282.307] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0282.307] _wcsicmp (_String1="help", _String2="stop") returned -11 [0282.307] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0282.307] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0282.307] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0282.307] _wcsicmp (_String1="session", _String2="stop") returned -15 [0282.307] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0282.307] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0282.307] _wcsicmp (_String1="share", _String2="stop") returned -12 [0282.307] _wcsicmp (_String1="start", _String2="stop") returned -14 [0282.307] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0282.307] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0282.307] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0282.307] _wcsicmp (_String1="accounts", _String2="DefWatch") returned -3 [0282.307] _wcsicmp (_String1="computer", _String2="DefWatch") returned -1 [0282.308] _wcsicmp (_String1="config", _String2="DefWatch") returned -1 [0282.308] _wcsicmp (_String1="continue", _String2="DefWatch") returned -1 [0282.308] _wcsicmp (_String1="cont", _String2="DefWatch") returned -1 [0282.308] _wcsicmp (_String1="file", _String2="DefWatch") returned 2 [0282.308] _wcsicmp (_String1="files", _String2="DefWatch") returned 2 [0282.308] _wcsicmp (_String1="group", _String2="DefWatch") returned 3 [0282.308] _wcsicmp (_String1="groups", _String2="DefWatch") returned 3 [0282.308] _wcsicmp (_String1="help", _String2="DefWatch") returned 4 [0282.308] _wcsicmp (_String1="helpmsg", _String2="DefWatch") returned 4 [0282.308] _wcsicmp (_String1="localgroup", _String2="DefWatch") returned 8 [0282.308] _wcsicmp (_String1="pause", _String2="DefWatch") returned 12 [0282.308] _wcsicmp (_String1="session", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="sessions", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="sess", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="share", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="start", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="stats", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="statistics", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="stop", _String2="DefWatch") returned 15 [0282.308] _wcsicmp (_String1="time", _String2="DefWatch") returned 16 [0282.308] _wcsicmp (_String1="user", _String2="DefWatch") returned 17 [0282.308] _wcsicmp (_String1="users", _String2="DefWatch") returned 17 [0282.308] _wcsicmp (_String1="msg", _String2="DefWatch") returned 9 [0282.308] _wcsicmp (_String1="messenger", _String2="DefWatch") returned 9 [0282.308] _wcsicmp (_String1="receiver", _String2="DefWatch") returned 14 [0282.308] _wcsicmp (_String1="rcv", _String2="DefWatch") returned 14 [0282.308] _wcsicmp (_String1="netpopup", _String2="DefWatch") returned 10 [0282.308] _wcsicmp (_String1="redirector", _String2="DefWatch") returned 14 [0282.308] _wcsicmp (_String1="redir", _String2="DefWatch") returned 14 [0282.308] _wcsicmp (_String1="rdr", _String2="DefWatch") returned 14 [0282.308] _wcsicmp (_String1="workstation", _String2="DefWatch") returned 19 [0282.308] _wcsicmp (_String1="work", _String2="DefWatch") returned 19 [0282.308] _wcsicmp (_String1="wksta", _String2="DefWatch") returned 19 [0282.308] _wcsicmp (_String1="prdr", _String2="DefWatch") returned 12 [0282.308] _wcsicmp (_String1="devrdr", _String2="DefWatch") returned 16 [0282.308] _wcsicmp (_String1="lanmanworkstation", _String2="DefWatch") returned 8 [0282.309] _wcsicmp (_String1="server", _String2="DefWatch") returned 15 [0282.309] _wcsicmp (_String1="svr", _String2="DefWatch") returned 15 [0282.309] _wcsicmp (_String1="srv", _String2="DefWatch") returned 15 [0282.309] _wcsicmp (_String1="lanmanserver", _String2="DefWatch") returned 8 [0282.309] _wcsicmp (_String1="alerter", _String2="DefWatch") returned -3 [0282.309] _wcsicmp (_String1="netlogon", _String2="DefWatch") returned 10 [0282.309] _wcsupr (in: _String="DefWatch" | out: _String="DEFWATCH") returned="DEFWATCH" [0282.309] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2a609c0 [0282.312] GetServiceKeyNameW (in: hSCManager=0x2a609c0, lpDisplayName="DEFWATCH", lpServiceName=0x1c8c28, lpcchBuffer=0x25ef79c | out: lpServiceName="", lpcchBuffer=0x25ef79c) returned 0 [0282.313] _wcsicmp (_String1="msg", _String2="DEFWATCH") returned 9 [0282.313] _wcsicmp (_String1="messenger", _String2="DEFWATCH") returned 9 [0282.313] _wcsicmp (_String1="receiver", _String2="DEFWATCH") returned 14 [0282.313] _wcsicmp (_String1="rcv", _String2="DEFWATCH") returned 14 [0282.313] _wcsicmp (_String1="redirector", _String2="DEFWATCH") returned 14 [0282.313] _wcsicmp (_String1="redir", _String2="DEFWATCH") returned 14 [0282.314] _wcsicmp (_String1="rdr", _String2="DEFWATCH") returned 14 [0282.314] _wcsicmp (_String1="workstation", _String2="DEFWATCH") returned 19 [0282.314] _wcsicmp (_String1="work", _String2="DEFWATCH") returned 19 [0282.314] _wcsicmp (_String1="wksta", _String2="DEFWATCH") returned 19 [0282.314] _wcsicmp (_String1="prdr", _String2="DEFWATCH") returned 12 [0282.314] _wcsicmp (_String1="devrdr", _String2="DEFWATCH") returned 16 [0282.314] _wcsicmp (_String1="lanmanworkstation", _String2="DEFWATCH") returned 8 [0282.314] _wcsicmp (_String1="server", _String2="DEFWATCH") returned 15 [0282.314] _wcsicmp (_String1="svr", _String2="DEFWATCH") returned 15 [0282.314] _wcsicmp (_String1="srv", _String2="DEFWATCH") returned 15 [0282.314] _wcsicmp (_String1="lanmanserver", _String2="DEFWATCH") returned 8 [0282.314] _wcsicmp (_String1="alerter", _String2="DEFWATCH") returned -3 [0282.314] _wcsicmp (_String1="netlogon", _String2="DEFWATCH") returned 10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="WORKSTATION") returned -19 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="LanmanWorkstation") returned -8 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="SERVER") returned -15 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="LanmanServer") returned -8 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="BROWSER") returned 2 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="BROWSER") returned 2 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="MESSENGER") returned -9 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="MESSENGER") returned -9 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETRUN") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETRUN") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="SPOOLER") returned -15 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="SPOOLER") returned -15 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="ALERTER") returned 3 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="ALERTER") returned 3 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETLOGON") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETLOGON") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETPOPUP") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="NETPOPUP") returned -10 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="SQLSERVER") returned -15 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="SQLSERVER") returned -15 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="REPLICATOR") returned -14 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="REPLICATOR") returned -14 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="REMOTEBOOT") returned -14 [0282.314] _wcsicmp (_String1="DEFWATCH", _String2="REMOTEBOOT") returned -14 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="TIMESOURCE") returned -16 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="TIMESOURCE") returned -16 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="AFP") returned 3 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="AFP") returned 3 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="UPS") returned -17 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="UPS") returned -17 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="XACTSRV") returned -20 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="XACTSRV") returned -20 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="TCPIP") returned -16 [0282.315] _wcsicmp (_String1="DEFWATCH", _String2="TCPIP") returned -16 [0282.315] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2a60ad8 [0282.315] OpenServiceW (hSCManager=0x2a60ad8, lpServiceName="DEFWATCH", dwDesiredAccess=0x84) returned 0x0 [0282.316] GetLastError () returned 0x424 [0282.316] CloseServiceHandle (hSCObject=0x2a60ad8) returned 1 [0282.316] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0282.316] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2930002 [0282.317] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2930002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0282.317] GetFileType (hFile=0x94) returned 0x2 [0282.317] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25ef62c | out: lpMode=0x25ef62c) returned 1 [0282.318] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x25ef638, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x25ef638*=0x1e) returned 1 [0282.318] GetFileType (hFile=0x94) returned 0x2 [0282.318] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25ef62c | out: lpMode=0x25ef62c) returned 1 [0282.319] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x25ef638, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x25ef638*=0x2) returned 1 [0282.319] _ultow (in: _Dest=0x889, _Radix=39777920 | out: _Dest=0x889) returned="2185" [0282.319] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2930002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0282.319] GetFileType (hFile=0x94) returned 0x2 [0282.319] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25ef650 | out: lpMode=0x25ef650) returned 1 [0282.319] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x25ef65c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x25ef65c*=0x34) returned 1 [0282.320] GetFileType (hFile=0x94) returned 0x2 [0282.320] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25ef650 | out: lpMode=0x25ef650) returned 1 [0282.320] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x25ef65c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x25ef65c*=0x2) returned 1 [0282.321] NetApiBufferFree (Buffer=0x2a585a8) returned 0x0 [0282.321] NetApiBufferFree (Buffer=0x2a58608) returned 0x0 [0282.321] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop DefWatch /y" [0282.321] exit (_Code=2) Thread: id = 59 os_tid = 0xdf4 Process: id = "22" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x751b7000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop ccEvtMgr /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0x1ec Thread: id = 64 os_tid = 0xa80 Process: id = "23" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5a869000" os_pid = "0x2bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0xac8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 61 os_tid = 0xe54 Thread: id = 62 os_tid = 0x440 Thread: id = 63 os_tid = 0x5b8 Process: id = "24" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1ade8000" os_pid = "0x648" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0xac8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop ccEvtMgr /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0xf0 [0282.688] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0282.688] __set_app_type (_Type=0x1) [0282.688] __p__fmode () returned 0x776f3c14 [0282.688] __p__commode () returned 0x776f49ec [0282.688] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0282.688] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0282.689] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0282.689] GetConsoleOutputCP () returned 0x1b5 [0282.689] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0282.690] SetThreadUILanguage (LangId=0x0) returned 0x2f40409 [0282.692] sprintf_s (in: _DstBuf=0x2d3fd94, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0282.692] setlocale (category=0, locale=".437") returned="English_United States.437" [0282.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0282.694] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0282.694] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop ccEvtMgr /y" [0282.694] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2d3fb3c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0282.694] RtlAllocateHeap (HeapHandle=0x32f0000, Flags=0x0, Size=0x64) returned 0x32f7878 [0282.694] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0282.694] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2d3fb38 | out: Buffer=0x2d3fb38*=0x32f8650) returned 0x0 [0282.694] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2d3fb34 | out: Buffer=0x2d3fb34*=0x32f8590) returned 0x0 [0282.694] __iob_func () returned 0x776f2608 [0282.694] _fileno (_File=0x776f2608) returned 0 [0282.694] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0282.694] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0282.694] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0282.694] _wcsicmp (_String1="config", _String2="stop") returned -16 [0282.694] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0282.694] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0282.694] _wcsicmp (_String1="file", _String2="stop") returned -13 [0282.694] _wcsicmp (_String1="files", _String2="stop") returned -13 [0282.695] _wcsicmp (_String1="group", _String2="stop") returned -12 [0282.695] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0282.695] _wcsicmp (_String1="help", _String2="stop") returned -11 [0282.695] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0282.695] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0282.695] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0282.695] _wcsicmp (_String1="session", _String2="stop") returned -15 [0282.695] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0282.695] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0282.695] _wcsicmp (_String1="share", _String2="stop") returned -12 [0282.695] _wcsicmp (_String1="start", _String2="stop") returned -14 [0282.695] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0282.695] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0282.695] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0282.695] _wcsicmp (_String1="accounts", _String2="ccEvtMgr") returned -2 [0282.695] _wcsicmp (_String1="computer", _String2="ccEvtMgr") returned 12 [0282.695] _wcsicmp (_String1="config", _String2="ccEvtMgr") returned 12 [0282.695] _wcsicmp (_String1="continue", _String2="ccEvtMgr") returned 12 [0282.695] _wcsicmp (_String1="cont", _String2="ccEvtMgr") returned 12 [0282.695] _wcsicmp (_String1="file", _String2="ccEvtMgr") returned 3 [0282.695] _wcsicmp (_String1="files", _String2="ccEvtMgr") returned 3 [0282.695] _wcsicmp (_String1="group", _String2="ccEvtMgr") returned 4 [0282.695] _wcsicmp (_String1="groups", _String2="ccEvtMgr") returned 4 [0282.695] _wcsicmp (_String1="help", _String2="ccEvtMgr") returned 5 [0282.695] _wcsicmp (_String1="helpmsg", _String2="ccEvtMgr") returned 5 [0282.695] _wcsicmp (_String1="localgroup", _String2="ccEvtMgr") returned 9 [0282.695] _wcsicmp (_String1="pause", _String2="ccEvtMgr") returned 13 [0282.695] _wcsicmp (_String1="session", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="sessions", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="sess", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="share", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="start", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="stats", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="statistics", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="stop", _String2="ccEvtMgr") returned 16 [0282.695] _wcsicmp (_String1="time", _String2="ccEvtMgr") returned 17 [0282.696] _wcsicmp (_String1="user", _String2="ccEvtMgr") returned 18 [0282.696] _wcsicmp (_String1="users", _String2="ccEvtMgr") returned 18 [0282.696] _wcsicmp (_String1="msg", _String2="ccEvtMgr") returned 10 [0282.696] _wcsicmp (_String1="messenger", _String2="ccEvtMgr") returned 10 [0282.696] _wcsicmp (_String1="receiver", _String2="ccEvtMgr") returned 15 [0282.696] _wcsicmp (_String1="rcv", _String2="ccEvtMgr") returned 15 [0282.696] _wcsicmp (_String1="netpopup", _String2="ccEvtMgr") returned 11 [0282.696] _wcsicmp (_String1="redirector", _String2="ccEvtMgr") returned 15 [0282.696] _wcsicmp (_String1="redir", _String2="ccEvtMgr") returned 15 [0282.696] _wcsicmp (_String1="rdr", _String2="ccEvtMgr") returned 15 [0282.696] _wcsicmp (_String1="workstation", _String2="ccEvtMgr") returned 20 [0282.696] _wcsicmp (_String1="work", _String2="ccEvtMgr") returned 20 [0282.696] _wcsicmp (_String1="wksta", _String2="ccEvtMgr") returned 20 [0282.696] _wcsicmp (_String1="prdr", _String2="ccEvtMgr") returned 13 [0282.696] _wcsicmp (_String1="devrdr", _String2="ccEvtMgr") returned 1 [0282.696] _wcsicmp (_String1="lanmanworkstation", _String2="ccEvtMgr") returned 9 [0282.696] _wcsicmp (_String1="server", _String2="ccEvtMgr") returned 16 [0282.696] _wcsicmp (_String1="svr", _String2="ccEvtMgr") returned 16 [0282.696] _wcsicmp (_String1="srv", _String2="ccEvtMgr") returned 16 [0282.696] _wcsicmp (_String1="lanmanserver", _String2="ccEvtMgr") returned 9 [0282.696] _wcsicmp (_String1="alerter", _String2="ccEvtMgr") returned -2 [0282.696] _wcsicmp (_String1="netlogon", _String2="ccEvtMgr") returned 11 [0282.696] _wcsupr (in: _String="ccEvtMgr" | out: _String="CCEVTMGR") returned="CCEVTMGR" [0282.696] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3300980 [0282.699] GetServiceKeyNameW (in: hSCManager=0x3300980, lpDisplayName="CCEVTMGR", lpServiceName=0x1c8c28, lpcchBuffer=0x2d3faac | out: lpServiceName="", lpcchBuffer=0x2d3faac) returned 0 [0282.700] _wcsicmp (_String1="msg", _String2="CCEVTMGR") returned 10 [0282.700] _wcsicmp (_String1="messenger", _String2="CCEVTMGR") returned 10 [0282.700] _wcsicmp (_String1="receiver", _String2="CCEVTMGR") returned 15 [0282.700] _wcsicmp (_String1="rcv", _String2="CCEVTMGR") returned 15 [0282.700] _wcsicmp (_String1="redirector", _String2="CCEVTMGR") returned 15 [0282.700] _wcsicmp (_String1="redir", _String2="CCEVTMGR") returned 15 [0282.700] _wcsicmp (_String1="rdr", _String2="CCEVTMGR") returned 15 [0282.700] _wcsicmp (_String1="workstation", _String2="CCEVTMGR") returned 20 [0282.700] _wcsicmp (_String1="work", _String2="CCEVTMGR") returned 20 [0282.700] _wcsicmp (_String1="wksta", _String2="CCEVTMGR") returned 20 [0282.700] _wcsicmp (_String1="prdr", _String2="CCEVTMGR") returned 13 [0282.700] _wcsicmp (_String1="devrdr", _String2="CCEVTMGR") returned 1 [0282.700] _wcsicmp (_String1="lanmanworkstation", _String2="CCEVTMGR") returned 9 [0282.700] _wcsicmp (_String1="server", _String2="CCEVTMGR") returned 16 [0282.700] _wcsicmp (_String1="svr", _String2="CCEVTMGR") returned 16 [0282.700] _wcsicmp (_String1="srv", _String2="CCEVTMGR") returned 16 [0282.700] _wcsicmp (_String1="lanmanserver", _String2="CCEVTMGR") returned 9 [0282.700] _wcsicmp (_String1="alerter", _String2="CCEVTMGR") returned -2 [0282.700] _wcsicmp (_String1="netlogon", _String2="CCEVTMGR") returned 11 [0282.700] _wcsicmp (_String1="CCEVTMGR", _String2="WORKSTATION") returned -20 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="LanmanWorkstation") returned -9 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="SERVER") returned -16 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="LanmanServer") returned -9 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="BROWSER") returned 1 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="BROWSER") returned 1 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="MESSENGER") returned -10 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="MESSENGER") returned -10 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETRUN") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETRUN") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="SPOOLER") returned -16 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="SPOOLER") returned -16 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="ALERTER") returned 2 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="ALERTER") returned 2 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETLOGON") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETLOGON") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETPOPUP") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="NETPOPUP") returned -11 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="SQLSERVER") returned -16 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="SQLSERVER") returned -16 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="REPLICATOR") returned -15 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="REPLICATOR") returned -15 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="REMOTEBOOT") returned -15 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="REMOTEBOOT") returned -15 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="TIMESOURCE") returned -17 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="TIMESOURCE") returned -17 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="AFP") returned 2 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="AFP") returned 2 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="UPS") returned -18 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="UPS") returned -18 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="XACTSRV") returned -21 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="XACTSRV") returned -21 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="TCPIP") returned -17 [0282.701] _wcsicmp (_String1="CCEVTMGR", _String2="TCPIP") returned -17 [0282.701] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x33007a0 [0282.702] OpenServiceW (hSCManager=0x33007a0, lpServiceName="CCEVTMGR", dwDesiredAccess=0x84) returned 0x0 [0282.702] GetLastError () returned 0x424 [0282.702] CloseServiceHandle (hSCObject=0x33007a0) returned 1 [0282.702] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0282.702] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2db0002 [0282.703] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2db0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0282.704] GetFileType (hFile=0x94) returned 0x2 [0282.704] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2d3f93c | out: lpMode=0x2d3f93c) returned 1 [0282.704] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2d3f948, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2d3f948*=0x1e) returned 1 [0282.704] GetFileType (hFile=0x94) returned 0x2 [0282.705] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2d3f93c | out: lpMode=0x2d3f93c) returned 1 [0282.705] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2d3f948, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2d3f948*=0x2) returned 1 [0282.705] _ultow (in: _Dest=0x889, _Radix=47446416 | out: _Dest=0x889) returned="2185" [0282.705] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2db0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0282.706] GetFileType (hFile=0x94) returned 0x2 [0282.706] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2d3f960 | out: lpMode=0x2d3f960) returned 1 [0282.706] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2d3f96c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2d3f96c*=0x34) returned 1 [0282.706] GetFileType (hFile=0x94) returned 0x2 [0282.706] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2d3f960 | out: lpMode=0x2d3f960) returned 1 [0282.706] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2d3f96c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2d3f96c*=0x2) returned 1 [0282.707] NetApiBufferFree (Buffer=0x32f8650) returned 0x0 [0282.707] NetApiBufferFree (Buffer=0x32f8590) returned 0x0 [0282.707] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop ccEvtMgr /y" [0282.707] exit (_Code=2) Thread: id = 66 os_tid = 0x13f4 Process: id = "25" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5a83c000" os_pid = "0x10b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop ccSetMgr /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 67 os_tid = 0x10dc Thread: id = 71 os_tid = 0xed4 Process: id = "26" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x364e8000" os_pid = "0x6e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x10b8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 68 os_tid = 0xea4 Thread: id = 69 os_tid = 0xebc Thread: id = 70 os_tid = 0xef8 Process: id = "27" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5a165000" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x10b8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop ccSetMgr /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 72 os_tid = 0xf18 [0283.136] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0283.136] __set_app_type (_Type=0x1) [0283.136] __p__fmode () returned 0x776f3c14 [0283.136] __p__commode () returned 0x776f49ec [0283.136] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0283.136] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0283.137] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0283.137] GetConsoleOutputCP () returned 0x1b5 [0283.137] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0283.137] SetThreadUILanguage (LangId=0x0) returned 0x2be0409 [0283.140] sprintf_s (in: _DstBuf=0x29bfc80, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0283.140] setlocale (category=0, locale=".437") returned="English_United States.437" [0283.142] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0283.142] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0283.142] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop ccSetMgr /y" [0283.142] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29bfa28, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0283.142] RtlAllocateHeap (HeapHandle=0x2db0000, Flags=0x0, Size=0x64) returned 0x2db4398 [0283.142] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0283.142] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29bfa24 | out: Buffer=0x29bfa24*=0x2db84b8) returned 0x0 [0283.142] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29bfa20 | out: Buffer=0x29bfa20*=0x2db8560) returned 0x0 [0283.142] __iob_func () returned 0x776f2608 [0283.142] _fileno (_File=0x776f2608) returned 0 [0283.142] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0283.143] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0283.143] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0283.143] _wcsicmp (_String1="config", _String2="stop") returned -16 [0283.143] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0283.143] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0283.143] _wcsicmp (_String1="file", _String2="stop") returned -13 [0283.143] _wcsicmp (_String1="files", _String2="stop") returned -13 [0283.143] _wcsicmp (_String1="group", _String2="stop") returned -12 [0283.143] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0283.143] _wcsicmp (_String1="help", _String2="stop") returned -11 [0283.143] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0283.143] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0283.143] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0283.143] _wcsicmp (_String1="session", _String2="stop") returned -15 [0283.143] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0283.143] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0283.143] _wcsicmp (_String1="share", _String2="stop") returned -12 [0283.143] _wcsicmp (_String1="start", _String2="stop") returned -14 [0283.143] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0283.143] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0283.143] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0283.143] _wcsicmp (_String1="accounts", _String2="ccSetMgr") returned -2 [0283.143] _wcsicmp (_String1="computer", _String2="ccSetMgr") returned 12 [0283.143] _wcsicmp (_String1="config", _String2="ccSetMgr") returned 12 [0283.143] _wcsicmp (_String1="continue", _String2="ccSetMgr") returned 12 [0283.143] _wcsicmp (_String1="cont", _String2="ccSetMgr") returned 12 [0283.143] _wcsicmp (_String1="file", _String2="ccSetMgr") returned 3 [0283.144] _wcsicmp (_String1="files", _String2="ccSetMgr") returned 3 [0283.144] _wcsicmp (_String1="group", _String2="ccSetMgr") returned 4 [0283.144] _wcsicmp (_String1="groups", _String2="ccSetMgr") returned 4 [0283.144] _wcsicmp (_String1="help", _String2="ccSetMgr") returned 5 [0283.144] _wcsicmp (_String1="helpmsg", _String2="ccSetMgr") returned 5 [0283.144] _wcsicmp (_String1="localgroup", _String2="ccSetMgr") returned 9 [0283.144] _wcsicmp (_String1="pause", _String2="ccSetMgr") returned 13 [0283.144] _wcsicmp (_String1="session", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="sessions", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="sess", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="share", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="start", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="stats", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="statistics", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="stop", _String2="ccSetMgr") returned 16 [0283.144] _wcsicmp (_String1="time", _String2="ccSetMgr") returned 17 [0283.145] _wcsicmp (_String1="user", _String2="ccSetMgr") returned 18 [0283.145] _wcsicmp (_String1="users", _String2="ccSetMgr") returned 18 [0283.145] _wcsicmp (_String1="msg", _String2="ccSetMgr") returned 10 [0283.145] _wcsicmp (_String1="messenger", _String2="ccSetMgr") returned 10 [0283.145] _wcsicmp (_String1="receiver", _String2="ccSetMgr") returned 15 [0283.145] _wcsicmp (_String1="rcv", _String2="ccSetMgr") returned 15 [0283.145] _wcsicmp (_String1="netpopup", _String2="ccSetMgr") returned 11 [0283.146] _wcsicmp (_String1="redirector", _String2="ccSetMgr") returned 15 [0283.146] _wcsicmp (_String1="redir", _String2="ccSetMgr") returned 15 [0283.146] _wcsicmp (_String1="rdr", _String2="ccSetMgr") returned 15 [0283.146] _wcsicmp (_String1="workstation", _String2="ccSetMgr") returned 20 [0283.146] _wcsicmp (_String1="work", _String2="ccSetMgr") returned 20 [0283.146] _wcsicmp (_String1="wksta", _String2="ccSetMgr") returned 20 [0283.146] _wcsicmp (_String1="prdr", _String2="ccSetMgr") returned 13 [0283.146] _wcsicmp (_String1="devrdr", _String2="ccSetMgr") returned 1 [0283.146] _wcsicmp (_String1="lanmanworkstation", _String2="ccSetMgr") returned 9 [0283.146] _wcsicmp (_String1="server", _String2="ccSetMgr") returned 16 [0283.146] _wcsicmp (_String1="svr", _String2="ccSetMgr") returned 16 [0283.146] _wcsicmp (_String1="srv", _String2="ccSetMgr") returned 16 [0283.146] _wcsicmp (_String1="lanmanserver", _String2="ccSetMgr") returned 9 [0283.146] _wcsicmp (_String1="alerter", _String2="ccSetMgr") returned -2 [0283.146] _wcsicmp (_String1="netlogon", _String2="ccSetMgr") returned 11 [0283.146] _wcsupr (in: _String="ccSetMgr" | out: _String="CCSETMGR") returned="CCSETMGR" [0283.146] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2dc07f0 [0283.150] GetServiceKeyNameW (in: hSCManager=0x2dc07f0, lpDisplayName="CCSETMGR", lpServiceName=0x1c8c28, lpcchBuffer=0x29bf994 | out: lpServiceName="", lpcchBuffer=0x29bf994) returned 0 [0283.152] _wcsicmp (_String1="msg", _String2="CCSETMGR") returned 10 [0283.152] _wcsicmp (_String1="messenger", _String2="CCSETMGR") returned 10 [0283.152] _wcsicmp (_String1="receiver", _String2="CCSETMGR") returned 15 [0283.152] _wcsicmp (_String1="rcv", _String2="CCSETMGR") returned 15 [0283.152] _wcsicmp (_String1="redirector", _String2="CCSETMGR") returned 15 [0283.152] _wcsicmp (_String1="redir", _String2="CCSETMGR") returned 15 [0283.152] _wcsicmp (_String1="rdr", _String2="CCSETMGR") returned 15 [0283.152] _wcsicmp (_String1="workstation", _String2="CCSETMGR") returned 20 [0283.152] _wcsicmp (_String1="work", _String2="CCSETMGR") returned 20 [0283.152] _wcsicmp (_String1="wksta", _String2="CCSETMGR") returned 20 [0283.152] _wcsicmp (_String1="prdr", _String2="CCSETMGR") returned 13 [0283.152] _wcsicmp (_String1="devrdr", _String2="CCSETMGR") returned 1 [0283.152] _wcsicmp (_String1="lanmanworkstation", _String2="CCSETMGR") returned 9 [0283.152] _wcsicmp (_String1="server", _String2="CCSETMGR") returned 16 [0283.152] _wcsicmp (_String1="svr", _String2="CCSETMGR") returned 16 [0283.152] _wcsicmp (_String1="srv", _String2="CCSETMGR") returned 16 [0283.152] _wcsicmp (_String1="lanmanserver", _String2="CCSETMGR") returned 9 [0283.152] _wcsicmp (_String1="alerter", _String2="CCSETMGR") returned -2 [0283.152] _wcsicmp (_String1="netlogon", _String2="CCSETMGR") returned 11 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="WORKSTATION") returned -20 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="LanmanWorkstation") returned -9 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="SERVER") returned -16 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="LanmanServer") returned -9 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="BROWSER") returned 1 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="BROWSER") returned 1 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="MESSENGER") returned -10 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="MESSENGER") returned -10 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="NETRUN") returned -11 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="NETRUN") returned -11 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="SPOOLER") returned -16 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="SPOOLER") returned -16 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="ALERTER") returned 2 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="ALERTER") returned 2 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="NETLOGON") returned -11 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="NETLOGON") returned -11 [0283.152] _wcsicmp (_String1="CCSETMGR", _String2="NETPOPUP") returned -11 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="NETPOPUP") returned -11 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="SQLSERVER") returned -16 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="SQLSERVER") returned -16 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="REPLICATOR") returned -15 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="REPLICATOR") returned -15 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="REMOTEBOOT") returned -15 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="REMOTEBOOT") returned -15 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="TIMESOURCE") returned -17 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="TIMESOURCE") returned -17 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="AFP") returned 2 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="AFP") returned 2 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="UPS") returned -18 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="UPS") returned -18 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="XACTSRV") returned -21 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="XACTSRV") returned -21 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="TCPIP") returned -17 [0283.153] _wcsicmp (_String1="CCSETMGR", _String2="TCPIP") returned -17 [0283.153] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2dc0b60 [0283.153] OpenServiceW (hSCManager=0x2dc0b60, lpServiceName="CCSETMGR", dwDesiredAccess=0x84) returned 0x0 [0283.154] GetLastError () returned 0x424 [0283.154] CloseServiceHandle (hSCObject=0x2dc0b60) returned 1 [0283.154] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0283.154] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x29f0002 [0283.155] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x29f0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0283.155] GetFileType (hFile=0x94) returned 0x2 [0283.155] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29bf824 | out: lpMode=0x29bf824) returned 1 [0283.156] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x29bf830, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x29bf830*=0x1e) returned 1 [0283.156] GetFileType (hFile=0x94) returned 0x2 [0283.156] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29bf824 | out: lpMode=0x29bf824) returned 1 [0283.157] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29bf830, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x29bf830*=0x2) returned 1 [0283.157] _ultow (in: _Dest=0x889, _Radix=43776120 | out: _Dest=0x889) returned="2185" [0283.157] FormatMessageW (in: dwFlags=0x2800, lpSource=0x29f0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0283.157] GetFileType (hFile=0x94) returned 0x2 [0283.157] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29bf848 | out: lpMode=0x29bf848) returned 1 [0283.157] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x29bf854, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x29bf854*=0x34) returned 1 [0283.158] GetFileType (hFile=0x94) returned 0x2 [0283.158] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29bf848 | out: lpMode=0x29bf848) returned 1 [0283.158] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29bf854, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x29bf854*=0x2) returned 1 [0283.159] NetApiBufferFree (Buffer=0x2db84b8) returned 0x0 [0283.159] NetApiBufferFree (Buffer=0x2db8560) returned 0x0 [0283.159] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop ccSetMgr /y" [0283.159] exit (_Code=2) Thread: id = 73 os_tid = 0xef4 Process: id = "28" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x59e41000" os_pid = "0xfb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop SavRoam /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 74 os_tid = 0xfdc Thread: id = 78 os_tid = 0xe78 Process: id = "29" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5a180000" os_pid = "0x4b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0xfb8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 75 os_tid = 0xa20 Thread: id = 76 os_tid = 0xab4 Thread: id = 77 os_tid = 0xd7c Process: id = "30" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x598fd000" os_pid = "0x85c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0xfb8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop SavRoam /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 79 os_tid = 0xc74 [0283.564] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0283.564] __set_app_type (_Type=0x1) [0283.564] __p__fmode () returned 0x776f3c14 [0283.564] __p__commode () returned 0x776f49ec [0283.564] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0283.565] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0283.565] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0283.565] GetConsoleOutputCP () returned 0x1b5 [0283.566] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0283.566] SetThreadUILanguage (LangId=0x0) returned 0x28e0409 [0283.568] sprintf_s (in: _DstBuf=0x2a7fd24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0283.568] setlocale (category=0, locale=".437") returned="English_United States.437" [0283.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0283.570] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0283.570] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop SavRoam /y" [0283.570] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a7facc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0283.570] RtlAllocateHeap (HeapHandle=0x2c00000, Flags=0x0, Size=0x62) returned 0x2c07870 [0283.570] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0283.570] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2a7fac8 | out: Buffer=0x2a7fac8*=0x2c085a0) returned 0x0 [0283.570] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2a7fac4 | out: Buffer=0x2a7fac4*=0x2c085b8) returned 0x0 [0283.570] __iob_func () returned 0x776f2608 [0283.570] _fileno (_File=0x776f2608) returned 0 [0283.570] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0283.571] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0283.571] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0283.571] _wcsicmp (_String1="config", _String2="stop") returned -16 [0283.571] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0283.571] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0283.571] _wcsicmp (_String1="file", _String2="stop") returned -13 [0283.571] _wcsicmp (_String1="files", _String2="stop") returned -13 [0283.571] _wcsicmp (_String1="group", _String2="stop") returned -12 [0283.571] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0283.571] _wcsicmp (_String1="help", _String2="stop") returned -11 [0283.571] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0283.571] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0283.571] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0283.571] _wcsicmp (_String1="session", _String2="stop") returned -15 [0283.571] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0283.571] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0283.571] _wcsicmp (_String1="share", _String2="stop") returned -12 [0283.571] _wcsicmp (_String1="start", _String2="stop") returned -14 [0283.571] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0283.571] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0283.571] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0283.571] _wcsicmp (_String1="accounts", _String2="SavRoam") returned -18 [0283.571] _wcsicmp (_String1="computer", _String2="SavRoam") returned -16 [0283.571] _wcsicmp (_String1="config", _String2="SavRoam") returned -16 [0283.571] _wcsicmp (_String1="continue", _String2="SavRoam") returned -16 [0283.571] _wcsicmp (_String1="cont", _String2="SavRoam") returned -16 [0283.571] _wcsicmp (_String1="file", _String2="SavRoam") returned -13 [0283.571] _wcsicmp (_String1="files", _String2="SavRoam") returned -13 [0283.571] _wcsicmp (_String1="group", _String2="SavRoam") returned -12 [0283.571] _wcsicmp (_String1="groups", _String2="SavRoam") returned -12 [0283.571] _wcsicmp (_String1="help", _String2="SavRoam") returned -11 [0283.571] _wcsicmp (_String1="helpmsg", _String2="SavRoam") returned -11 [0283.571] _wcsicmp (_String1="localgroup", _String2="SavRoam") returned -7 [0283.571] _wcsicmp (_String1="pause", _String2="SavRoam") returned -3 [0283.572] _wcsicmp (_String1="session", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="sessions", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="sess", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="share", _String2="SavRoam") returned 7 [0283.572] _wcsicmp (_String1="start", _String2="SavRoam") returned 19 [0283.572] _wcsicmp (_String1="stats", _String2="SavRoam") returned 19 [0283.572] _wcsicmp (_String1="statistics", _String2="SavRoam") returned 19 [0283.572] _wcsicmp (_String1="stop", _String2="SavRoam") returned 19 [0283.572] _wcsicmp (_String1="time", _String2="SavRoam") returned 1 [0283.572] _wcsicmp (_String1="user", _String2="SavRoam") returned 2 [0283.572] _wcsicmp (_String1="users", _String2="SavRoam") returned 2 [0283.572] _wcsicmp (_String1="msg", _String2="SavRoam") returned -6 [0283.572] _wcsicmp (_String1="messenger", _String2="SavRoam") returned -6 [0283.572] _wcsicmp (_String1="receiver", _String2="SavRoam") returned -1 [0283.572] _wcsicmp (_String1="rcv", _String2="SavRoam") returned -1 [0283.572] _wcsicmp (_String1="netpopup", _String2="SavRoam") returned -5 [0283.572] _wcsicmp (_String1="redirector", _String2="SavRoam") returned -1 [0283.572] _wcsicmp (_String1="redir", _String2="SavRoam") returned -1 [0283.572] _wcsicmp (_String1="rdr", _String2="SavRoam") returned -1 [0283.572] _wcsicmp (_String1="workstation", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="work", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="wksta", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="prdr", _String2="SavRoam") returned -3 [0283.572] _wcsicmp (_String1="devrdr", _String2="SavRoam") returned -15 [0283.572] _wcsicmp (_String1="lanmanworkstation", _String2="SavRoam") returned -7 [0283.572] _wcsicmp (_String1="server", _String2="SavRoam") returned 4 [0283.572] _wcsicmp (_String1="svr", _String2="SavRoam") returned 21 [0283.572] _wcsicmp (_String1="srv", _String2="SavRoam") returned 17 [0283.572] _wcsicmp (_String1="lanmanserver", _String2="SavRoam") returned -7 [0283.572] _wcsicmp (_String1="alerter", _String2="SavRoam") returned -18 [0283.572] _wcsicmp (_String1="netlogon", _String2="SavRoam") returned -5 [0283.572] _wcsupr (in: _String="SavRoam" | out: _String="SAVROAM") returned="SAVROAM" [0283.572] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2c10830 [0283.576] GetServiceKeyNameW (in: hSCManager=0x2c10830, lpDisplayName="SAVROAM", lpServiceName=0x1c8c28, lpcchBuffer=0x2a7fa3c | out: lpServiceName="", lpcchBuffer=0x2a7fa3c) returned 0 [0283.576] _wcsicmp (_String1="msg", _String2="SAVROAM") returned -6 [0283.576] _wcsicmp (_String1="messenger", _String2="SAVROAM") returned -6 [0283.576] _wcsicmp (_String1="receiver", _String2="SAVROAM") returned -1 [0283.576] _wcsicmp (_String1="rcv", _String2="SAVROAM") returned -1 [0283.576] _wcsicmp (_String1="redirector", _String2="SAVROAM") returned -1 [0283.576] _wcsicmp (_String1="redir", _String2="SAVROAM") returned -1 [0283.576] _wcsicmp (_String1="rdr", _String2="SAVROAM") returned -1 [0283.576] _wcsicmp (_String1="workstation", _String2="SAVROAM") returned 4 [0283.577] _wcsicmp (_String1="work", _String2="SAVROAM") returned 4 [0283.577] _wcsicmp (_String1="wksta", _String2="SAVROAM") returned 4 [0283.577] _wcsicmp (_String1="prdr", _String2="SAVROAM") returned -3 [0283.577] _wcsicmp (_String1="devrdr", _String2="SAVROAM") returned -15 [0283.577] _wcsicmp (_String1="lanmanworkstation", _String2="SAVROAM") returned -7 [0283.577] _wcsicmp (_String1="server", _String2="SAVROAM") returned 4 [0283.577] _wcsicmp (_String1="svr", _String2="SAVROAM") returned 21 [0283.577] _wcsicmp (_String1="srv", _String2="SAVROAM") returned 17 [0283.577] _wcsicmp (_String1="lanmanserver", _String2="SAVROAM") returned -7 [0283.577] _wcsicmp (_String1="alerter", _String2="SAVROAM") returned -18 [0283.577] _wcsicmp (_String1="netlogon", _String2="SAVROAM") returned -5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="WORKSTATION") returned -4 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="LanmanWorkstation") returned 7 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="SERVER") returned -4 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="LanmanServer") returned 7 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="BROWSER") returned 17 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="BROWSER") returned 17 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="MESSENGER") returned 6 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="MESSENGER") returned 6 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETRUN") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETRUN") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="SPOOLER") returned -15 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="SPOOLER") returned -15 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="ALERTER") returned 18 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="ALERTER") returned 18 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETLOGON") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETLOGON") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETPOPUP") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="NETPOPUP") returned 5 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="SQLSERVER") returned -16 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="SQLSERVER") returned -16 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="REPLICATOR") returned 1 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="REPLICATOR") returned 1 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="REMOTEBOOT") returned 1 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="REMOTEBOOT") returned 1 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="TIMESOURCE") returned -1 [0283.577] _wcsicmp (_String1="SAVROAM", _String2="TIMESOURCE") returned -1 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="AFP") returned 18 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="AFP") returned 18 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="UPS") returned -2 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="UPS") returned -2 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="XACTSRV") returned -5 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="XACTSRV") returned -5 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="TCPIP") returned -1 [0283.578] _wcsicmp (_String1="SAVROAM", _String2="TCPIP") returned -1 [0283.578] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2c10920 [0283.578] OpenServiceW (hSCManager=0x2c10920, lpServiceName="SAVROAM", dwDesiredAccess=0x84) returned 0x0 [0283.579] GetLastError () returned 0x424 [0283.579] CloseServiceHandle (hSCObject=0x2c10920) returned 1 [0283.579] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0283.579] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x27d0002 [0283.580] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x27d0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0283.581] GetFileType (hFile=0x94) returned 0x2 [0283.581] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2a7f8cc | out: lpMode=0x2a7f8cc) returned 1 [0283.581] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2a7f8d8, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2a7f8d8*=0x1e) returned 1 [0283.582] GetFileType (hFile=0x94) returned 0x2 [0283.582] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2a7f8cc | out: lpMode=0x2a7f8cc) returned 1 [0283.582] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2a7f8d8, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2a7f8d8*=0x2) returned 1 [0283.582] _ultow (in: _Dest=0x889, _Radix=44562720 | out: _Dest=0x889) returned="2185" [0283.582] FormatMessageW (in: dwFlags=0x2800, lpSource=0x27d0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0283.583] GetFileType (hFile=0x94) returned 0x2 [0283.583] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2a7f8f0 | out: lpMode=0x2a7f8f0) returned 1 [0283.583] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2a7f8fc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2a7f8fc*=0x34) returned 1 [0283.583] GetFileType (hFile=0x94) returned 0x2 [0283.583] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2a7f8f0 | out: lpMode=0x2a7f8f0) returned 1 [0283.583] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2a7f8fc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2a7f8fc*=0x2) returned 1 [0283.584] NetApiBufferFree (Buffer=0x2c085a0) returned 0x0 [0283.584] NetApiBufferFree (Buffer=0x2c085b8) returned 0x0 [0283.584] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop SavRoam /y" [0283.584] exit (_Code=2) Thread: id = 80 os_tid = 0x860 Process: id = "31" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x12044000" os_pid = "0xee0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop RTVscan /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 81 os_tid = 0xf58 Thread: id = 85 os_tid = 0x1300 Process: id = "32" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5989c000" os_pid = "0x1150" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xee0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0x12dc Thread: id = 83 os_tid = 0x56c Thread: id = 84 os_tid = 0x1304 Process: id = "33" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5949c000" os_pid = "0x1028" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xee0" cmd_line = "C:\\WINDOWS\\system32\\net1 stop RTVscan /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 86 os_tid = 0xe34 [0284.131] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0284.132] __set_app_type (_Type=0x1) [0284.132] __p__fmode () returned 0x776f3c14 [0284.132] __p__commode () returned 0x776f49ec [0284.132] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0284.132] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0284.132] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0284.132] GetConsoleOutputCP () returned 0x1b5 [0284.133] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0284.133] SetThreadUILanguage (LangId=0x0) returned 0x2680409 [0284.136] sprintf_s (in: _DstBuf=0x25df854, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0284.137] setlocale (category=0, locale=".437") returned="English_United States.437" [0284.139] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0284.139] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0284.139] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop RTVscan /y" [0284.139] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25df5fc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0284.139] RtlAllocateHeap (HeapHandle=0x2ad0000, Flags=0x0, Size=0x62) returned 0x2ad4390 [0284.139] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0284.139] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25df5f8 | out: Buffer=0x25df5f8*=0x2ad85d0) returned 0x0 [0284.139] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25df5f4 | out: Buffer=0x25df5f4*=0x2ad8540) returned 0x0 [0284.139] __iob_func () returned 0x776f2608 [0284.139] _fileno (_File=0x776f2608) returned 0 [0284.139] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0284.139] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0284.139] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0284.139] _wcsicmp (_String1="config", _String2="stop") returned -16 [0284.139] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0284.139] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0284.139] _wcsicmp (_String1="file", _String2="stop") returned -13 [0284.139] _wcsicmp (_String1="files", _String2="stop") returned -13 [0284.140] _wcsicmp (_String1="group", _String2="stop") returned -12 [0284.140] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0284.140] _wcsicmp (_String1="help", _String2="stop") returned -11 [0284.140] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0284.140] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0284.140] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0284.140] _wcsicmp (_String1="session", _String2="stop") returned -15 [0284.140] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0284.140] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0284.140] _wcsicmp (_String1="share", _String2="stop") returned -12 [0284.140] _wcsicmp (_String1="start", _String2="stop") returned -14 [0284.140] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0284.140] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0284.140] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0284.140] _wcsicmp (_String1="accounts", _String2="RTVscan") returned -17 [0284.140] _wcsicmp (_String1="computer", _String2="RTVscan") returned -15 [0284.140] _wcsicmp (_String1="config", _String2="RTVscan") returned -15 [0284.140] _wcsicmp (_String1="continue", _String2="RTVscan") returned -15 [0284.140] _wcsicmp (_String1="cont", _String2="RTVscan") returned -15 [0284.140] _wcsicmp (_String1="file", _String2="RTVscan") returned -12 [0284.140] _wcsicmp (_String1="files", _String2="RTVscan") returned -12 [0284.140] _wcsicmp (_String1="group", _String2="RTVscan") returned -11 [0284.140] _wcsicmp (_String1="groups", _String2="RTVscan") returned -11 [0284.140] _wcsicmp (_String1="help", _String2="RTVscan") returned -10 [0284.140] _wcsicmp (_String1="helpmsg", _String2="RTVscan") returned -10 [0284.140] _wcsicmp (_String1="localgroup", _String2="RTVscan") returned -6 [0284.141] _wcsicmp (_String1="pause", _String2="RTVscan") returned -2 [0284.141] _wcsicmp (_String1="session", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="sessions", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="sess", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="share", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="start", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="stats", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="statistics", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="stop", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="time", _String2="RTVscan") returned 2 [0284.141] _wcsicmp (_String1="user", _String2="RTVscan") returned 3 [0284.141] _wcsicmp (_String1="users", _String2="RTVscan") returned 3 [0284.141] _wcsicmp (_String1="msg", _String2="RTVscan") returned -5 [0284.141] _wcsicmp (_String1="messenger", _String2="RTVscan") returned -5 [0284.141] _wcsicmp (_String1="receiver", _String2="RTVscan") returned -15 [0284.141] _wcsicmp (_String1="rcv", _String2="RTVscan") returned -17 [0284.141] _wcsicmp (_String1="netpopup", _String2="RTVscan") returned -4 [0284.141] _wcsicmp (_String1="redirector", _String2="RTVscan") returned -15 [0284.141] _wcsicmp (_String1="redir", _String2="RTVscan") returned -15 [0284.141] _wcsicmp (_String1="rdr", _String2="RTVscan") returned -16 [0284.141] _wcsicmp (_String1="workstation", _String2="RTVscan") returned 5 [0284.141] _wcsicmp (_String1="work", _String2="RTVscan") returned 5 [0284.141] _wcsicmp (_String1="wksta", _String2="RTVscan") returned 5 [0284.141] _wcsicmp (_String1="prdr", _String2="RTVscan") returned -2 [0284.141] _wcsicmp (_String1="devrdr", _String2="RTVscan") returned -14 [0284.141] _wcsicmp (_String1="lanmanworkstation", _String2="RTVscan") returned -6 [0284.141] _wcsicmp (_String1="server", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="svr", _String2="RTVscan") returned 1 [0284.141] _wcsicmp (_String1="srv", _String2="RTVscan") returned 1 [0284.142] _wcsicmp (_String1="lanmanserver", _String2="RTVscan") returned -6 [0284.142] _wcsicmp (_String1="alerter", _String2="RTVscan") returned -17 [0284.142] _wcsicmp (_String1="netlogon", _String2="RTVscan") returned -4 [0284.142] _wcsupr (in: _String="RTVscan" | out: _String="RTVSCAN") returned="RTVSCAN" [0284.142] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ae1058 [0284.147] GetServiceKeyNameW (in: hSCManager=0x2ae1058, lpDisplayName="RTVSCAN", lpServiceName=0x1c8c28, lpcchBuffer=0x25df56c | out: lpServiceName="", lpcchBuffer=0x25df56c) returned 0 [0284.148] _wcsicmp (_String1="msg", _String2="RTVSCAN") returned -5 [0284.148] _wcsicmp (_String1="messenger", _String2="RTVSCAN") returned -5 [0284.148] _wcsicmp (_String1="receiver", _String2="RTVSCAN") returned -15 [0284.148] _wcsicmp (_String1="rcv", _String2="RTVSCAN") returned -17 [0284.148] _wcsicmp (_String1="redirector", _String2="RTVSCAN") returned -15 [0284.148] _wcsicmp (_String1="redir", _String2="RTVSCAN") returned -15 [0284.148] _wcsicmp (_String1="rdr", _String2="RTVSCAN") returned -16 [0284.148] _wcsicmp (_String1="workstation", _String2="RTVSCAN") returned 5 [0284.149] _wcsicmp (_String1="work", _String2="RTVSCAN") returned 5 [0284.149] _wcsicmp (_String1="wksta", _String2="RTVSCAN") returned 5 [0284.149] _wcsicmp (_String1="prdr", _String2="RTVSCAN") returned -2 [0284.149] _wcsicmp (_String1="devrdr", _String2="RTVSCAN") returned -14 [0284.149] _wcsicmp (_String1="lanmanworkstation", _String2="RTVSCAN") returned -6 [0284.149] _wcsicmp (_String1="server", _String2="RTVSCAN") returned 1 [0284.149] _wcsicmp (_String1="svr", _String2="RTVSCAN") returned 1 [0284.149] _wcsicmp (_String1="srv", _String2="RTVSCAN") returned 1 [0284.149] _wcsicmp (_String1="lanmanserver", _String2="RTVSCAN") returned -6 [0284.149] _wcsicmp (_String1="alerter", _String2="RTVSCAN") returned -17 [0284.149] _wcsicmp (_String1="netlogon", _String2="RTVSCAN") returned -4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="WORKSTATION") returned -5 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="LanmanWorkstation") returned 6 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="SERVER") returned -1 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="LanmanServer") returned 6 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="BROWSER") returned 16 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="BROWSER") returned 16 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="MESSENGER") returned 5 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="MESSENGER") returned 5 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETRUN") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETRUN") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="SPOOLER") returned -1 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="SPOOLER") returned -1 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="ALERTER") returned 17 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="ALERTER") returned 17 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETLOGON") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETLOGON") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETPOPUP") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="NETPOPUP") returned 4 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="SQLSERVER") returned -1 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="SQLSERVER") returned -1 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="REPLICATOR") returned 15 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="REPLICATOR") returned 15 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="REMOTEBOOT") returned 15 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="REMOTEBOOT") returned 15 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="TIMESOURCE") returned -2 [0284.149] _wcsicmp (_String1="RTVSCAN", _String2="TIMESOURCE") returned -2 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="AFP") returned 17 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="AFP") returned 17 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="UPS") returned -3 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="UPS") returned -3 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="XACTSRV") returned -6 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="XACTSRV") returned -6 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="TCPIP") returned -2 [0284.150] _wcsicmp (_String1="RTVSCAN", _String2="TCPIP") returned -2 [0284.150] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2ae1148 [0284.150] OpenServiceW (hSCManager=0x2ae1148, lpServiceName="RTVSCAN", dwDesiredAccess=0x84) returned 0x0 [0284.150] GetLastError () returned 0x424 [0284.151] CloseServiceHandle (hSCObject=0x2ae1148) returned 1 [0284.151] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0284.151] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2920002 [0284.151] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2920002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0284.152] GetFileType (hFile=0x94) returned 0x2 [0284.152] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25df3fc | out: lpMode=0x25df3fc) returned 1 [0284.152] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x25df408, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x25df408*=0x1e) returned 1 [0284.153] GetFileType (hFile=0x94) returned 0x2 [0284.153] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25df3fc | out: lpMode=0x25df3fc) returned 1 [0284.153] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x25df408, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x25df408*=0x2) returned 1 [0284.153] _ultow (in: _Dest=0x889, _Radix=39711824 | out: _Dest=0x889) returned="2185" [0284.154] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2920002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0284.154] GetFileType (hFile=0x94) returned 0x2 [0284.154] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25df420 | out: lpMode=0x25df420) returned 1 [0284.154] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x25df42c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x25df42c*=0x34) returned 1 [0284.154] GetFileType (hFile=0x94) returned 0x2 [0284.154] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x25df420 | out: lpMode=0x25df420) returned 1 [0284.155] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x25df42c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x25df42c*=0x2) returned 1 [0284.155] NetApiBufferFree (Buffer=0x2ad85d0) returned 0x0 [0284.155] NetApiBufferFree (Buffer=0x2ad8540) returned 0x0 [0284.155] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop RTVscan /y" [0284.155] exit (_Code=2) Thread: id = 87 os_tid = 0x13a4 Process: id = "34" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x59449000" os_pid = "0x130c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop QBFCService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0x1244 Thread: id = 92 os_tid = 0xfd4 Process: id = "35" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x939d000" os_pid = "0x1140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0x130c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 89 os_tid = 0xd38 Thread: id = 90 os_tid = 0x1178 Thread: id = 91 os_tid = 0x117c Process: id = "36" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x7779b000" os_pid = "0x1334" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0x130c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop QBFCService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 93 os_tid = 0x1228 [0284.592] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0284.593] __set_app_type (_Type=0x1) [0284.593] __p__fmode () returned 0x776f3c14 [0284.593] __p__commode () returned 0x776f49ec [0284.593] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0284.593] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0284.593] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0284.593] GetConsoleOutputCP () returned 0x1b5 [0284.594] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0284.594] SetThreadUILanguage (LangId=0x0) returned 0x31f0409 [0284.598] sprintf_s (in: _DstBuf=0x32bfbe8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0284.598] setlocale (category=0, locale=".437") returned="English_United States.437" [0284.600] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0284.600] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0284.600] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBFCService /y" [0284.600] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32bf990, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0284.600] RtlAllocateHeap (HeapHandle=0x3430000, Flags=0x0, Size=0x6a) returned 0x3434218 [0284.600] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0284.600] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32bf98c | out: Buffer=0x32bf98c*=0x3438b58) returned 0x0 [0284.600] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32bf988 | out: Buffer=0x32bf988*=0x3438ac8) returned 0x0 [0284.600] __iob_func () returned 0x776f2608 [0284.600] _fileno (_File=0x776f2608) returned 0 [0284.600] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0284.601] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0284.601] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0284.601] _wcsicmp (_String1="config", _String2="stop") returned -16 [0284.601] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0284.601] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0284.601] _wcsicmp (_String1="file", _String2="stop") returned -13 [0284.601] _wcsicmp (_String1="files", _String2="stop") returned -13 [0284.601] _wcsicmp (_String1="group", _String2="stop") returned -12 [0284.601] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0284.601] _wcsicmp (_String1="help", _String2="stop") returned -11 [0284.601] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0284.601] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0284.601] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0284.601] _wcsicmp (_String1="session", _String2="stop") returned -15 [0284.601] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0284.601] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0284.601] _wcsicmp (_String1="share", _String2="stop") returned -12 [0284.601] _wcsicmp (_String1="start", _String2="stop") returned -14 [0284.601] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0284.601] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0284.601] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0284.601] _wcsicmp (_String1="accounts", _String2="QBFCService") returned -16 [0284.601] _wcsicmp (_String1="computer", _String2="QBFCService") returned -14 [0284.602] _wcsicmp (_String1="config", _String2="QBFCService") returned -14 [0284.602] _wcsicmp (_String1="continue", _String2="QBFCService") returned -14 [0284.602] _wcsicmp (_String1="cont", _String2="QBFCService") returned -14 [0284.602] _wcsicmp (_String1="file", _String2="QBFCService") returned -11 [0284.602] _wcsicmp (_String1="files", _String2="QBFCService") returned -11 [0284.602] _wcsicmp (_String1="group", _String2="QBFCService") returned -10 [0284.602] _wcsicmp (_String1="groups", _String2="QBFCService") returned -10 [0284.602] _wcsicmp (_String1="help", _String2="QBFCService") returned -9 [0284.602] _wcsicmp (_String1="helpmsg", _String2="QBFCService") returned -9 [0284.602] _wcsicmp (_String1="localgroup", _String2="QBFCService") returned -5 [0284.602] _wcsicmp (_String1="pause", _String2="QBFCService") returned -1 [0284.602] _wcsicmp (_String1="session", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="sessions", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="sess", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="share", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="start", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="stats", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="statistics", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="stop", _String2="QBFCService") returned 2 [0284.602] _wcsicmp (_String1="time", _String2="QBFCService") returned 3 [0284.602] _wcsicmp (_String1="user", _String2="QBFCService") returned 4 [0284.602] _wcsicmp (_String1="users", _String2="QBFCService") returned 4 [0284.602] _wcsicmp (_String1="msg", _String2="QBFCService") returned -4 [0284.602] _wcsicmp (_String1="messenger", _String2="QBFCService") returned -4 [0284.602] _wcsicmp (_String1="receiver", _String2="QBFCService") returned 1 [0284.602] _wcsicmp (_String1="rcv", _String2="QBFCService") returned 1 [0284.602] _wcsicmp (_String1="netpopup", _String2="QBFCService") returned -3 [0284.602] _wcsicmp (_String1="redirector", _String2="QBFCService") returned 1 [0284.603] _wcsicmp (_String1="redir", _String2="QBFCService") returned 1 [0284.603] _wcsicmp (_String1="rdr", _String2="QBFCService") returned 1 [0284.603] _wcsicmp (_String1="workstation", _String2="QBFCService") returned 6 [0284.603] _wcsicmp (_String1="work", _String2="QBFCService") returned 6 [0284.603] _wcsicmp (_String1="wksta", _String2="QBFCService") returned 6 [0284.603] _wcsicmp (_String1="prdr", _String2="QBFCService") returned -1 [0284.603] _wcsicmp (_String1="devrdr", _String2="QBFCService") returned -13 [0284.603] _wcsicmp (_String1="lanmanworkstation", _String2="QBFCService") returned -5 [0284.603] _wcsicmp (_String1="server", _String2="QBFCService") returned 2 [0284.603] _wcsicmp (_String1="svr", _String2="QBFCService") returned 2 [0284.603] _wcsicmp (_String1="srv", _String2="QBFCService") returned 2 [0284.603] _wcsicmp (_String1="lanmanserver", _String2="QBFCService") returned -5 [0284.603] _wcsicmp (_String1="alerter", _String2="QBFCService") returned -16 [0284.603] _wcsicmp (_String1="netlogon", _String2="QBFCService") returned -3 [0284.603] _wcsupr (in: _String="QBFCService" | out: _String="QBFCSERVICE") returned="QBFCSERVICE" [0284.603] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3440770 [0284.607] GetServiceKeyNameW (in: hSCManager=0x3440770, lpDisplayName="QBFCSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x32bf8fc | out: lpServiceName="", lpcchBuffer=0x32bf8fc) returned 0 [0284.609] _wcsicmp (_String1="msg", _String2="QBFCSERVICE") returned -4 [0284.609] _wcsicmp (_String1="messenger", _String2="QBFCSERVICE") returned -4 [0284.609] _wcsicmp (_String1="receiver", _String2="QBFCSERVICE") returned 1 [0284.609] _wcsicmp (_String1="rcv", _String2="QBFCSERVICE") returned 1 [0284.609] _wcsicmp (_String1="redirector", _String2="QBFCSERVICE") returned 1 [0284.609] _wcsicmp (_String1="redir", _String2="QBFCSERVICE") returned 1 [0284.609] _wcsicmp (_String1="rdr", _String2="QBFCSERVICE") returned 1 [0284.609] _wcsicmp (_String1="workstation", _String2="QBFCSERVICE") returned 6 [0284.609] _wcsicmp (_String1="work", _String2="QBFCSERVICE") returned 6 [0284.609] _wcsicmp (_String1="wksta", _String2="QBFCSERVICE") returned 6 [0284.609] _wcsicmp (_String1="prdr", _String2="QBFCSERVICE") returned -1 [0284.609] _wcsicmp (_String1="devrdr", _String2="QBFCSERVICE") returned -13 [0284.609] _wcsicmp (_String1="lanmanworkstation", _String2="QBFCSERVICE") returned -5 [0284.609] _wcsicmp (_String1="server", _String2="QBFCSERVICE") returned 2 [0284.609] _wcsicmp (_String1="svr", _String2="QBFCSERVICE") returned 2 [0284.609] _wcsicmp (_String1="srv", _String2="QBFCSERVICE") returned 2 [0284.609] _wcsicmp (_String1="lanmanserver", _String2="QBFCSERVICE") returned -5 [0284.609] _wcsicmp (_String1="alerter", _String2="QBFCSERVICE") returned -16 [0284.609] _wcsicmp (_String1="netlogon", _String2="QBFCSERVICE") returned -3 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="WORKSTATION") returned -6 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="LanmanWorkstation") returned 5 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="SERVER") returned -2 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="LanmanServer") returned 5 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="BROWSER") returned 15 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="BROWSER") returned 15 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="MESSENGER") returned 4 [0284.609] _wcsicmp (_String1="QBFCSERVICE", _String2="MESSENGER") returned 4 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETRUN") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETRUN") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="SPOOLER") returned -2 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="SPOOLER") returned -2 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="ALERTER") returned 16 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="ALERTER") returned 16 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETLOGON") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETLOGON") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETPOPUP") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="NETPOPUP") returned 3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="SQLSERVER") returned -2 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="SQLSERVER") returned -2 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="REPLICATOR") returned -1 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="REPLICATOR") returned -1 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="REMOTEBOOT") returned -1 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="REMOTEBOOT") returned -1 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="TIMESOURCE") returned -3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="TIMESOURCE") returned -3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="AFP") returned 16 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="AFP") returned 16 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="UPS") returned -4 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="UPS") returned -4 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="XACTSRV") returned -7 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="XACTSRV") returned -7 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="TCPIP") returned -3 [0284.610] _wcsicmp (_String1="QBFCSERVICE", _String2="TCPIP") returned -3 [0284.610] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x34406d0 [0284.611] OpenServiceW (hSCManager=0x34406d0, lpServiceName="QBFCSERVICE", dwDesiredAccess=0x84) returned 0x0 [0284.611] GetLastError () returned 0x424 [0284.612] CloseServiceHandle (hSCObject=0x34406d0) returned 1 [0284.612] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0284.612] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3400002 [0284.613] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3400002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0284.614] GetFileType (hFile=0x94) returned 0x2 [0284.614] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x32bf78c | out: lpMode=0x32bf78c) returned 1 [0284.614] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x32bf798, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x32bf798*=0x1e) returned 1 [0284.615] GetFileType (hFile=0x94) returned 0x2 [0284.615] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x32bf78c | out: lpMode=0x32bf78c) returned 1 [0284.615] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32bf798, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x32bf798*=0x2) returned 1 [0284.616] _ultow (in: _Dest=0x889, _Radix=53213152 | out: _Dest=0x889) returned="2185" [0284.616] FormatMessageW (in: dwFlags=0x2800, lpSource=0x3400002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0284.616] GetFileType (hFile=0x94) returned 0x2 [0284.616] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x32bf7b0 | out: lpMode=0x32bf7b0) returned 1 [0284.616] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x32bf7bc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x32bf7bc*=0x34) returned 1 [0284.617] GetFileType (hFile=0x94) returned 0x2 [0284.619] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x32bf7b0 | out: lpMode=0x32bf7b0) returned 1 [0284.619] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32bf7bc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x32bf7bc*=0x2) returned 1 [0284.620] NetApiBufferFree (Buffer=0x3438b58) returned 0x0 [0284.620] NetApiBufferFree (Buffer=0x3438ac8) returned 0x0 [0284.620] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBFCService /y" [0284.620] exit (_Code=2) Thread: id = 94 os_tid = 0x113c Process: id = "37" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c4ce000" os_pid = "0x1330" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop QBIDPService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 95 os_tid = 0x12e4 Thread: id = 99 os_tid = 0x12e0 Process: id = "38" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59107000" os_pid = "0x116c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0x1330" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 96 os_tid = 0x1168 Thread: id = 97 os_tid = 0x11cc Thread: id = 98 os_tid = 0x11c8 Process: id = "39" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x77f05000" os_pid = "0x11a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0x1330" cmd_line = "C:\\WINDOWS\\system32\\net1 stop QBIDPService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 100 os_tid = 0x520 [0285.097] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0285.097] __set_app_type (_Type=0x1) [0285.097] __p__fmode () returned 0x776f3c14 [0285.097] __p__commode () returned 0x776f49ec [0285.097] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0285.097] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0285.097] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0285.097] GetConsoleOutputCP () returned 0x1b5 [0285.098] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0285.098] SetThreadUILanguage (LangId=0x0) returned 0x30f0409 [0285.100] sprintf_s (in: _DstBuf=0x2fdfd14, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0285.101] setlocale (category=0, locale=".437") returned="English_United States.437" [0285.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0285.102] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0285.102] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBIDPService /y" [0285.102] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2fdfabc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0285.102] RtlAllocateHeap (HeapHandle=0x32d0000, Flags=0x0, Size=0x6c) returned 0x32d7880 [0285.102] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0285.102] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2fdfab8 | out: Buffer=0x2fdfab8*=0x32d8628) returned 0x0 [0285.102] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2fdfab4 | out: Buffer=0x2fdfab4*=0x32d85f8) returned 0x0 [0285.102] __iob_func () returned 0x776f2608 [0285.102] _fileno (_File=0x776f2608) returned 0 [0285.102] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0285.103] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0285.103] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0285.103] _wcsicmp (_String1="config", _String2="stop") returned -16 [0285.103] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0285.103] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0285.103] _wcsicmp (_String1="file", _String2="stop") returned -13 [0285.103] _wcsicmp (_String1="files", _String2="stop") returned -13 [0285.103] _wcsicmp (_String1="group", _String2="stop") returned -12 [0285.103] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0285.103] _wcsicmp (_String1="help", _String2="stop") returned -11 [0285.103] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0285.103] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0285.103] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0285.103] _wcsicmp (_String1="session", _String2="stop") returned -15 [0285.103] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0285.103] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0285.103] _wcsicmp (_String1="share", _String2="stop") returned -12 [0285.103] _wcsicmp (_String1="start", _String2="stop") returned -14 [0285.103] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0285.103] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0285.103] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0285.103] _wcsicmp (_String1="accounts", _String2="QBIDPService") returned -16 [0285.103] _wcsicmp (_String1="computer", _String2="QBIDPService") returned -14 [0285.103] _wcsicmp (_String1="config", _String2="QBIDPService") returned -14 [0285.103] _wcsicmp (_String1="continue", _String2="QBIDPService") returned -14 [0285.103] _wcsicmp (_String1="cont", _String2="QBIDPService") returned -14 [0285.103] _wcsicmp (_String1="file", _String2="QBIDPService") returned -11 [0285.103] _wcsicmp (_String1="files", _String2="QBIDPService") returned -11 [0285.103] _wcsicmp (_String1="group", _String2="QBIDPService") returned -10 [0285.103] _wcsicmp (_String1="groups", _String2="QBIDPService") returned -10 [0285.103] _wcsicmp (_String1="help", _String2="QBIDPService") returned -9 [0285.103] _wcsicmp (_String1="helpmsg", _String2="QBIDPService") returned -9 [0285.103] _wcsicmp (_String1="localgroup", _String2="QBIDPService") returned -5 [0285.103] _wcsicmp (_String1="pause", _String2="QBIDPService") returned -1 [0285.103] _wcsicmp (_String1="session", _String2="QBIDPService") returned 2 [0285.103] _wcsicmp (_String1="sessions", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="sess", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="share", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="start", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="stats", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="statistics", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="stop", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="time", _String2="QBIDPService") returned 3 [0285.104] _wcsicmp (_String1="user", _String2="QBIDPService") returned 4 [0285.104] _wcsicmp (_String1="users", _String2="QBIDPService") returned 4 [0285.104] _wcsicmp (_String1="msg", _String2="QBIDPService") returned -4 [0285.104] _wcsicmp (_String1="messenger", _String2="QBIDPService") returned -4 [0285.104] _wcsicmp (_String1="receiver", _String2="QBIDPService") returned 1 [0285.104] _wcsicmp (_String1="rcv", _String2="QBIDPService") returned 1 [0285.104] _wcsicmp (_String1="netpopup", _String2="QBIDPService") returned -3 [0285.104] _wcsicmp (_String1="redirector", _String2="QBIDPService") returned 1 [0285.104] _wcsicmp (_String1="redir", _String2="QBIDPService") returned 1 [0285.104] _wcsicmp (_String1="rdr", _String2="QBIDPService") returned 1 [0285.104] _wcsicmp (_String1="workstation", _String2="QBIDPService") returned 6 [0285.104] _wcsicmp (_String1="work", _String2="QBIDPService") returned 6 [0285.104] _wcsicmp (_String1="wksta", _String2="QBIDPService") returned 6 [0285.104] _wcsicmp (_String1="prdr", _String2="QBIDPService") returned -1 [0285.104] _wcsicmp (_String1="devrdr", _String2="QBIDPService") returned -13 [0285.104] _wcsicmp (_String1="lanmanworkstation", _String2="QBIDPService") returned -5 [0285.104] _wcsicmp (_String1="server", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="svr", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="srv", _String2="QBIDPService") returned 2 [0285.104] _wcsicmp (_String1="lanmanserver", _String2="QBIDPService") returned -5 [0285.104] _wcsicmp (_String1="alerter", _String2="QBIDPService") returned -16 [0285.104] _wcsicmp (_String1="netlogon", _String2="QBIDPService") returned -3 [0285.104] _wcsupr (in: _String="QBIDPService" | out: _String="QBIDPSERVICE") returned="QBIDPSERVICE" [0285.104] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32e08b8 [0285.108] GetServiceKeyNameW (in: hSCManager=0x32e08b8, lpDisplayName="QBIDPSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2fdfa2c | out: lpServiceName="", lpcchBuffer=0x2fdfa2c) returned 0 [0285.108] _wcsicmp (_String1="msg", _String2="QBIDPSERVICE") returned -4 [0285.108] _wcsicmp (_String1="messenger", _String2="QBIDPSERVICE") returned -4 [0285.108] _wcsicmp (_String1="receiver", _String2="QBIDPSERVICE") returned 1 [0285.108] _wcsicmp (_String1="rcv", _String2="QBIDPSERVICE") returned 1 [0285.108] _wcsicmp (_String1="redirector", _String2="QBIDPSERVICE") returned 1 [0285.108] _wcsicmp (_String1="redir", _String2="QBIDPSERVICE") returned 1 [0285.108] _wcsicmp (_String1="rdr", _String2="QBIDPSERVICE") returned 1 [0285.108] _wcsicmp (_String1="workstation", _String2="QBIDPSERVICE") returned 6 [0285.109] _wcsicmp (_String1="work", _String2="QBIDPSERVICE") returned 6 [0285.109] _wcsicmp (_String1="wksta", _String2="QBIDPSERVICE") returned 6 [0285.109] _wcsicmp (_String1="prdr", _String2="QBIDPSERVICE") returned -1 [0285.109] _wcsicmp (_String1="devrdr", _String2="QBIDPSERVICE") returned -13 [0285.109] _wcsicmp (_String1="lanmanworkstation", _String2="QBIDPSERVICE") returned -5 [0285.109] _wcsicmp (_String1="server", _String2="QBIDPSERVICE") returned 2 [0285.109] _wcsicmp (_String1="svr", _String2="QBIDPSERVICE") returned 2 [0285.109] _wcsicmp (_String1="srv", _String2="QBIDPSERVICE") returned 2 [0285.109] _wcsicmp (_String1="lanmanserver", _String2="QBIDPSERVICE") returned -5 [0285.109] _wcsicmp (_String1="alerter", _String2="QBIDPSERVICE") returned -16 [0285.109] _wcsicmp (_String1="netlogon", _String2="QBIDPSERVICE") returned -3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="WORKSTATION") returned -6 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="LanmanWorkstation") returned 5 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="SERVER") returned -2 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="LanmanServer") returned 5 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="BROWSER") returned 15 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="BROWSER") returned 15 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="MESSENGER") returned 4 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="MESSENGER") returned 4 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETRUN") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETRUN") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="SPOOLER") returned -2 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="SPOOLER") returned -2 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="ALERTER") returned 16 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="ALERTER") returned 16 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETLOGON") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETLOGON") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETPOPUP") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="NETPOPUP") returned 3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="SQLSERVER") returned -2 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="SQLSERVER") returned -2 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="REPLICATOR") returned -1 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="REPLICATOR") returned -1 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="REMOTEBOOT") returned -1 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="REMOTEBOOT") returned -1 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="TIMESOURCE") returned -3 [0285.109] _wcsicmp (_String1="QBIDPSERVICE", _String2="TIMESOURCE") returned -3 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="AFP") returned 16 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="AFP") returned 16 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="UPS") returned -4 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="UPS") returned -4 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="XACTSRV") returned -7 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="XACTSRV") returned -7 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="TCPIP") returned -3 [0285.110] _wcsicmp (_String1="QBIDPSERVICE", _String2="TCPIP") returned -3 [0285.110] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x32e0ac0 [0285.110] OpenServiceW (hSCManager=0x32e0ac0, lpServiceName="QBIDPSERVICE", dwDesiredAccess=0x84) returned 0x0 [0285.110] GetLastError () returned 0x424 [0285.110] CloseServiceHandle (hSCObject=0x32e0ac0) returned 1 [0285.111] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0285.111] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3210002 [0285.111] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3210002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0285.112] GetFileType (hFile=0x94) returned 0x2 [0285.112] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2fdf8bc | out: lpMode=0x2fdf8bc) returned 1 [0285.112] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2fdf8c8, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2fdf8c8*=0x1e) returned 1 [0285.113] GetFileType (hFile=0x94) returned 0x2 [0285.113] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2fdf8bc | out: lpMode=0x2fdf8bc) returned 1 [0285.113] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2fdf8c8, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2fdf8c8*=0x2) returned 1 [0285.113] _ultow (in: _Dest=0x889, _Radix=50198800 | out: _Dest=0x889) returned="2185" [0285.113] FormatMessageW (in: dwFlags=0x2800, lpSource=0x3210002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0285.114] GetFileType (hFile=0x94) returned 0x2 [0285.114] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2fdf8e0 | out: lpMode=0x2fdf8e0) returned 1 [0285.114] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2fdf8ec, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2fdf8ec*=0x34) returned 1 [0285.114] GetFileType (hFile=0x94) returned 0x2 [0285.114] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2fdf8e0 | out: lpMode=0x2fdf8e0) returned 1 [0285.114] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2fdf8ec, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2fdf8ec*=0x2) returned 1 [0285.115] NetApiBufferFree (Buffer=0x32d8628) returned 0x0 [0285.115] NetApiBufferFree (Buffer=0x32d85f8) returned 0x0 [0285.115] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBIDPService /y" [0285.115] exit (_Code=2) Thread: id = 101 os_tid = 0x11e0 Process: id = "40" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1af53000" os_pid = "0x11dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop Intuit.QuickBooks.FCS /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 102 os_tid = 0x1290 Thread: id = 106 os_tid = 0x1020 Process: id = "41" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4032c000" os_pid = "0x1288" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x11dc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 103 os_tid = 0xecc Thread: id = 104 os_tid = 0xf44 Thread: id = 105 os_tid = 0x12f8 Process: id = "42" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0xb3ab000" os_pid = "0x11d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x11dc" cmd_line = "C:\\WINDOWS\\system32\\net1 stop Intuit.QuickBooks.FCS /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 107 os_tid = 0x1148 [0285.518] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0285.518] __set_app_type (_Type=0x1) [0285.518] __p__fmode () returned 0x776f3c14 [0285.518] __p__commode () returned 0x776f49ec [0285.518] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0285.519] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0285.519] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0285.519] GetConsoleOutputCP () returned 0x1b5 [0285.519] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0285.519] SetThreadUILanguage (LangId=0x0) returned 0x2bf0409 [0285.522] sprintf_s (in: _DstBuf=0x2cdf990, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0285.522] setlocale (category=0, locale=".437") returned="English_United States.437" [0285.524] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0285.524] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0285.524] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop Intuit.QuickBooks.FCS /y" [0285.524] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cdf738, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0285.524] RtlAllocateHeap (HeapHandle=0x2d40000, Flags=0x0, Size=0x7e) returned 0x2d445b0 [0285.524] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0285.524] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cdf734 | out: Buffer=0x2cdf734*=0x2d47d70) returned 0x0 [0285.524] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cdf730 | out: Buffer=0x2cdf730*=0x2d47e78) returned 0x0 [0285.524] __iob_func () returned 0x776f2608 [0285.524] _fileno (_File=0x776f2608) returned 0 [0285.524] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0285.524] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0285.524] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0285.524] _wcsicmp (_String1="config", _String2="stop") returned -16 [0285.524] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0285.524] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0285.524] _wcsicmp (_String1="file", _String2="stop") returned -13 [0285.524] _wcsicmp (_String1="files", _String2="stop") returned -13 [0285.524] _wcsicmp (_String1="group", _String2="stop") returned -12 [0285.524] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0285.524] _wcsicmp (_String1="help", _String2="stop") returned -11 [0285.524] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0285.524] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0285.524] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0285.524] _wcsicmp (_String1="session", _String2="stop") returned -15 [0285.525] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0285.525] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0285.525] _wcsicmp (_String1="share", _String2="stop") returned -12 [0285.525] _wcsicmp (_String1="start", _String2="stop") returned -14 [0285.525] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0285.525] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0285.525] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0285.525] _wcsicmp (_String1="accounts", _String2="Intuit.QuickBooks.FCS") returned -8 [0285.525] _wcsicmp (_String1="computer", _String2="Intuit.QuickBooks.FCS") returned -6 [0285.525] _wcsicmp (_String1="config", _String2="Intuit.QuickBooks.FCS") returned -6 [0285.525] _wcsicmp (_String1="continue", _String2="Intuit.QuickBooks.FCS") returned -6 [0285.525] _wcsicmp (_String1="cont", _String2="Intuit.QuickBooks.FCS") returned -6 [0285.525] _wcsicmp (_String1="file", _String2="Intuit.QuickBooks.FCS") returned -3 [0285.525] _wcsicmp (_String1="files", _String2="Intuit.QuickBooks.FCS") returned -3 [0285.525] _wcsicmp (_String1="group", _String2="Intuit.QuickBooks.FCS") returned -2 [0285.525] _wcsicmp (_String1="groups", _String2="Intuit.QuickBooks.FCS") returned -2 [0285.525] _wcsicmp (_String1="help", _String2="Intuit.QuickBooks.FCS") returned -1 [0285.525] _wcsicmp (_String1="helpmsg", _String2="Intuit.QuickBooks.FCS") returned -1 [0285.525] _wcsicmp (_String1="localgroup", _String2="Intuit.QuickBooks.FCS") returned 3 [0285.525] _wcsicmp (_String1="pause", _String2="Intuit.QuickBooks.FCS") returned 7 [0285.525] _wcsicmp (_String1="session", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="sessions", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="sess", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="share", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="start", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="stats", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="statistics", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="stop", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.525] _wcsicmp (_String1="time", _String2="Intuit.QuickBooks.FCS") returned 11 [0285.525] _wcsicmp (_String1="user", _String2="Intuit.QuickBooks.FCS") returned 12 [0285.525] _wcsicmp (_String1="users", _String2="Intuit.QuickBooks.FCS") returned 12 [0285.525] _wcsicmp (_String1="msg", _String2="Intuit.QuickBooks.FCS") returned 4 [0285.525] _wcsicmp (_String1="messenger", _String2="Intuit.QuickBooks.FCS") returned 4 [0285.525] _wcsicmp (_String1="receiver", _String2="Intuit.QuickBooks.FCS") returned 9 [0285.526] _wcsicmp (_String1="rcv", _String2="Intuit.QuickBooks.FCS") returned 9 [0285.526] _wcsicmp (_String1="netpopup", _String2="Intuit.QuickBooks.FCS") returned 5 [0285.526] _wcsicmp (_String1="redirector", _String2="Intuit.QuickBooks.FCS") returned 9 [0285.526] _wcsicmp (_String1="redir", _String2="Intuit.QuickBooks.FCS") returned 9 [0285.526] _wcsicmp (_String1="rdr", _String2="Intuit.QuickBooks.FCS") returned 9 [0285.526] _wcsicmp (_String1="workstation", _String2="Intuit.QuickBooks.FCS") returned 14 [0285.526] _wcsicmp (_String1="work", _String2="Intuit.QuickBooks.FCS") returned 14 [0285.526] _wcsicmp (_String1="wksta", _String2="Intuit.QuickBooks.FCS") returned 14 [0285.526] _wcsicmp (_String1="prdr", _String2="Intuit.QuickBooks.FCS") returned 7 [0285.526] _wcsicmp (_String1="devrdr", _String2="Intuit.QuickBooks.FCS") returned -5 [0285.526] _wcsicmp (_String1="lanmanworkstation", _String2="Intuit.QuickBooks.FCS") returned 3 [0285.526] _wcsicmp (_String1="server", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.526] _wcsicmp (_String1="svr", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.526] _wcsicmp (_String1="srv", _String2="Intuit.QuickBooks.FCS") returned 10 [0285.526] _wcsicmp (_String1="lanmanserver", _String2="Intuit.QuickBooks.FCS") returned 3 [0285.526] _wcsicmp (_String1="alerter", _String2="Intuit.QuickBooks.FCS") returned -8 [0285.526] _wcsicmp (_String1="netlogon", _String2="Intuit.QuickBooks.FCS") returned 5 [0285.526] _wcsupr (in: _String="Intuit.QuickBooks.FCS" | out: _String="INTUIT.QUICKBOOKS.FCS") returned="INTUIT.QUICKBOOKS.FCS" [0285.526] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d507c8 [0285.532] GetServiceKeyNameW (in: hSCManager=0x2d507c8, lpDisplayName="INTUIT.QUICKBOOKS.FCS", lpServiceName=0x1c8c28, lpcchBuffer=0x2cdf6a4 | out: lpServiceName="", lpcchBuffer=0x2cdf6a4) returned 0 [0285.533] _wcsicmp (_String1="msg", _String2="INTUIT.QUICKBOOKS.FCS") returned 4 [0285.533] _wcsicmp (_String1="messenger", _String2="INTUIT.QUICKBOOKS.FCS") returned 4 [0285.533] _wcsicmp (_String1="receiver", _String2="INTUIT.QUICKBOOKS.FCS") returned 9 [0285.533] _wcsicmp (_String1="rcv", _String2="INTUIT.QUICKBOOKS.FCS") returned 9 [0285.533] _wcsicmp (_String1="redirector", _String2="INTUIT.QUICKBOOKS.FCS") returned 9 [0285.533] _wcsicmp (_String1="redir", _String2="INTUIT.QUICKBOOKS.FCS") returned 9 [0285.533] _wcsicmp (_String1="rdr", _String2="INTUIT.QUICKBOOKS.FCS") returned 9 [0285.533] _wcsicmp (_String1="workstation", _String2="INTUIT.QUICKBOOKS.FCS") returned 14 [0285.533] _wcsicmp (_String1="work", _String2="INTUIT.QUICKBOOKS.FCS") returned 14 [0285.533] _wcsicmp (_String1="wksta", _String2="INTUIT.QUICKBOOKS.FCS") returned 14 [0285.533] _wcsicmp (_String1="prdr", _String2="INTUIT.QUICKBOOKS.FCS") returned 7 [0285.533] _wcsicmp (_String1="devrdr", _String2="INTUIT.QUICKBOOKS.FCS") returned -5 [0285.533] _wcsicmp (_String1="lanmanworkstation", _String2="INTUIT.QUICKBOOKS.FCS") returned 3 [0285.533] _wcsicmp (_String1="server", _String2="INTUIT.QUICKBOOKS.FCS") returned 10 [0285.533] _wcsicmp (_String1="svr", _String2="INTUIT.QUICKBOOKS.FCS") returned 10 [0285.533] _wcsicmp (_String1="srv", _String2="INTUIT.QUICKBOOKS.FCS") returned 10 [0285.533] _wcsicmp (_String1="lanmanserver", _String2="INTUIT.QUICKBOOKS.FCS") returned 3 [0285.533] _wcsicmp (_String1="alerter", _String2="INTUIT.QUICKBOOKS.FCS") returned -8 [0285.533] _wcsicmp (_String1="netlogon", _String2="INTUIT.QUICKBOOKS.FCS") returned 5 [0285.533] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="WORKSTATION") returned -14 [0285.533] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="LanmanWorkstation") returned -3 [0285.533] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="SERVER") returned -10 [0285.533] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="LanmanServer") returned -3 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="BROWSER") returned 7 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="BROWSER") returned 7 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="MESSENGER") returned -4 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="MESSENGER") returned -4 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETRUN") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETRUN") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="SPOOLER") returned -10 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="SPOOLER") returned -10 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="ALERTER") returned 8 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="ALERTER") returned 8 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETLOGON") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETLOGON") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETPOPUP") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="NETPOPUP") returned -5 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="SQLSERVER") returned -10 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="SQLSERVER") returned -10 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="REPLICATOR") returned -9 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="REPLICATOR") returned -9 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="REMOTEBOOT") returned -9 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="REMOTEBOOT") returned -9 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="TIMESOURCE") returned -11 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="TIMESOURCE") returned -11 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="AFP") returned 8 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="AFP") returned 8 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="UPS") returned -12 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="UPS") returned -12 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="XACTSRV") returned -15 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="XACTSRV") returned -15 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="TCPIP") returned -11 [0285.534] _wcsicmp (_String1="INTUIT.QUICKBOOKS.FCS", _String2="TCPIP") returned -11 [0285.534] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2d50ac0 [0285.535] OpenServiceW (hSCManager=0x2d50ac0, lpServiceName="INTUIT.QUICKBOOKS.FCS", dwDesiredAccess=0x84) returned 0x0 [0285.535] GetLastError () returned 0x424 [0285.535] CloseServiceHandle (hSCObject=0x2d50ac0) returned 1 [0285.535] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0285.535] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2d10002 [0285.536] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2d10002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0285.536] GetFileType (hFile=0x94) returned 0x2 [0285.537] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cdf534 | out: lpMode=0x2cdf534) returned 1 [0285.537] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2cdf540, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cdf540*=0x1e) returned 1 [0285.537] GetFileType (hFile=0x94) returned 0x2 [0285.537] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cdf534 | out: lpMode=0x2cdf534) returned 1 [0285.538] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cdf540, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cdf540*=0x2) returned 1 [0285.538] _ultow (in: _Dest=0x889, _Radix=47052168 | out: _Dest=0x889) returned="2185" [0285.538] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2d10002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0285.538] GetFileType (hFile=0x94) returned 0x2 [0285.538] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cdf558 | out: lpMode=0x2cdf558) returned 1 [0285.538] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2cdf564, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cdf564*=0x34) returned 1 [0285.539] GetFileType (hFile=0x94) returned 0x2 [0285.539] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cdf558 | out: lpMode=0x2cdf558) returned 1 [0285.539] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cdf564, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cdf564*=0x2) returned 1 [0285.539] NetApiBufferFree (Buffer=0x2d47d70) returned 0x0 [0285.540] NetApiBufferFree (Buffer=0x2d47e78) returned 0x0 [0285.540] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop Intuit.QuickBooks.FCS /y" [0285.540] exit (_Code=2) Thread: id = 108 os_tid = 0xa24 Process: id = "43" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x39756000" os_pid = "0x1154" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop QBCFMonitorService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0x1318 Thread: id = 113 os_tid = 0x1248 Process: id = "44" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1b016000" os_pid = "0x11f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x1154" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 110 os_tid = 0x11b0 Thread: id = 111 os_tid = 0x121c Thread: id = 112 os_tid = 0x11a8 Process: id = "45" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x16f94000" os_pid = "0x1160" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x1154" cmd_line = "C:\\WINDOWS\\system32\\net1 stop QBCFMonitorService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 114 os_tid = 0x11bc [0286.035] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0286.035] __set_app_type (_Type=0x1) [0286.035] __p__fmode () returned 0x776f3c14 [0286.035] __p__commode () returned 0x776f49ec [0286.035] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0286.035] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0286.035] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0286.035] GetConsoleOutputCP () returned 0x1b5 [0286.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0286.036] SetThreadUILanguage (LangId=0x0) returned 0x2dd0409 [0286.039] sprintf_s (in: _DstBuf=0x2ebfea0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0286.039] setlocale (category=0, locale=".437") returned="English_United States.437" [0286.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0286.041] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.041] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBCFMonitorService /y" [0286.041] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ebfc48, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0286.041] RtlAllocateHeap (HeapHandle=0x31b0000, Flags=0x0, Size=0x78) returned 0x31b43b0 [0286.041] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0286.041] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ebfc44 | out: Buffer=0x2ebfc44*=0x31b7d38) returned 0x0 [0286.041] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ebfc40 | out: Buffer=0x2ebfc40*=0x31b7de0) returned 0x0 [0286.041] __iob_func () returned 0x776f2608 [0286.041] _fileno (_File=0x776f2608) returned 0 [0286.041] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0286.041] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0286.041] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0286.041] _wcsicmp (_String1="config", _String2="stop") returned -16 [0286.041] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0286.041] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0286.041] _wcsicmp (_String1="file", _String2="stop") returned -13 [0286.041] _wcsicmp (_String1="files", _String2="stop") returned -13 [0286.041] _wcsicmp (_String1="group", _String2="stop") returned -12 [0286.041] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0286.041] _wcsicmp (_String1="help", _String2="stop") returned -11 [0286.041] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0286.041] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0286.041] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0286.041] _wcsicmp (_String1="session", _String2="stop") returned -15 [0286.041] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0286.042] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0286.042] _wcsicmp (_String1="share", _String2="stop") returned -12 [0286.042] _wcsicmp (_String1="start", _String2="stop") returned -14 [0286.042] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0286.042] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0286.042] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0286.042] _wcsicmp (_String1="accounts", _String2="QBCFMonitorService") returned -16 [0286.042] _wcsicmp (_String1="computer", _String2="QBCFMonitorService") returned -14 [0286.042] _wcsicmp (_String1="config", _String2="QBCFMonitorService") returned -14 [0286.042] _wcsicmp (_String1="continue", _String2="QBCFMonitorService") returned -14 [0286.042] _wcsicmp (_String1="cont", _String2="QBCFMonitorService") returned -14 [0286.042] _wcsicmp (_String1="file", _String2="QBCFMonitorService") returned -11 [0286.042] _wcsicmp (_String1="files", _String2="QBCFMonitorService") returned -11 [0286.042] _wcsicmp (_String1="group", _String2="QBCFMonitorService") returned -10 [0286.042] _wcsicmp (_String1="groups", _String2="QBCFMonitorService") returned -10 [0286.042] _wcsicmp (_String1="help", _String2="QBCFMonitorService") returned -9 [0286.042] _wcsicmp (_String1="helpmsg", _String2="QBCFMonitorService") returned -9 [0286.042] _wcsicmp (_String1="localgroup", _String2="QBCFMonitorService") returned -5 [0286.042] _wcsicmp (_String1="pause", _String2="QBCFMonitorService") returned -1 [0286.042] _wcsicmp (_String1="session", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="sessions", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="sess", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="share", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="start", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="stats", _String2="QBCFMonitorService") returned 2 [0286.042] _wcsicmp (_String1="statistics", _String2="QBCFMonitorService") returned 2 [0286.043] _wcsicmp (_String1="stop", _String2="QBCFMonitorService") returned 2 [0286.043] _wcsicmp (_String1="time", _String2="QBCFMonitorService") returned 3 [0286.043] _wcsicmp (_String1="user", _String2="QBCFMonitorService") returned 4 [0286.043] _wcsicmp (_String1="users", _String2="QBCFMonitorService") returned 4 [0286.043] _wcsicmp (_String1="msg", _String2="QBCFMonitorService") returned -4 [0286.043] _wcsicmp (_String1="messenger", _String2="QBCFMonitorService") returned -4 [0286.043] _wcsicmp (_String1="receiver", _String2="QBCFMonitorService") returned 1 [0286.043] _wcsicmp (_String1="rcv", _String2="QBCFMonitorService") returned 1 [0286.043] _wcsicmp (_String1="netpopup", _String2="QBCFMonitorService") returned -3 [0286.043] _wcsicmp (_String1="redirector", _String2="QBCFMonitorService") returned 1 [0286.043] _wcsicmp (_String1="redir", _String2="QBCFMonitorService") returned 1 [0286.043] _wcsicmp (_String1="rdr", _String2="QBCFMonitorService") returned 1 [0286.043] _wcsicmp (_String1="workstation", _String2="QBCFMonitorService") returned 6 [0286.043] _wcsicmp (_String1="work", _String2="QBCFMonitorService") returned 6 [0286.043] _wcsicmp (_String1="wksta", _String2="QBCFMonitorService") returned 6 [0286.043] _wcsicmp (_String1="prdr", _String2="QBCFMonitorService") returned -1 [0286.043] _wcsicmp (_String1="devrdr", _String2="QBCFMonitorService") returned -13 [0286.043] _wcsicmp (_String1="lanmanworkstation", _String2="QBCFMonitorService") returned -5 [0286.043] _wcsicmp (_String1="server", _String2="QBCFMonitorService") returned 2 [0286.043] _wcsicmp (_String1="svr", _String2="QBCFMonitorService") returned 2 [0286.043] _wcsicmp (_String1="srv", _String2="QBCFMonitorService") returned 2 [0286.043] _wcsicmp (_String1="lanmanserver", _String2="QBCFMonitorService") returned -5 [0286.043] _wcsicmp (_String1="alerter", _String2="QBCFMonitorService") returned -16 [0286.043] _wcsicmp (_String1="netlogon", _String2="QBCFMonitorService") returned -3 [0286.043] _wcsupr (in: _String="QBCFMonitorService" | out: _String="QBCFMONITORSERVICE") returned="QBCFMONITORSERVICE" [0286.043] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31c0a58 [0286.048] GetServiceKeyNameW (in: hSCManager=0x31c0a58, lpDisplayName="QBCFMONITORSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2ebfbb4 | out: lpServiceName="", lpcchBuffer=0x2ebfbb4) returned 0 [0286.049] _wcsicmp (_String1="msg", _String2="QBCFMONITORSERVICE") returned -4 [0286.049] _wcsicmp (_String1="messenger", _String2="QBCFMONITORSERVICE") returned -4 [0286.049] _wcsicmp (_String1="receiver", _String2="QBCFMONITORSERVICE") returned 1 [0286.049] _wcsicmp (_String1="rcv", _String2="QBCFMONITORSERVICE") returned 1 [0286.049] _wcsicmp (_String1="redirector", _String2="QBCFMONITORSERVICE") returned 1 [0286.049] _wcsicmp (_String1="redir", _String2="QBCFMONITORSERVICE") returned 1 [0286.049] _wcsicmp (_String1="rdr", _String2="QBCFMONITORSERVICE") returned 1 [0286.049] _wcsicmp (_String1="workstation", _String2="QBCFMONITORSERVICE") returned 6 [0286.049] _wcsicmp (_String1="work", _String2="QBCFMONITORSERVICE") returned 6 [0286.049] _wcsicmp (_String1="wksta", _String2="QBCFMONITORSERVICE") returned 6 [0286.049] _wcsicmp (_String1="prdr", _String2="QBCFMONITORSERVICE") returned -1 [0286.049] _wcsicmp (_String1="devrdr", _String2="QBCFMONITORSERVICE") returned -13 [0286.049] _wcsicmp (_String1="lanmanworkstation", _String2="QBCFMONITORSERVICE") returned -5 [0286.049] _wcsicmp (_String1="server", _String2="QBCFMONITORSERVICE") returned 2 [0286.049] _wcsicmp (_String1="svr", _String2="QBCFMONITORSERVICE") returned 2 [0286.049] _wcsicmp (_String1="srv", _String2="QBCFMONITORSERVICE") returned 2 [0286.049] _wcsicmp (_String1="lanmanserver", _String2="QBCFMONITORSERVICE") returned -5 [0286.049] _wcsicmp (_String1="alerter", _String2="QBCFMONITORSERVICE") returned -16 [0286.050] _wcsicmp (_String1="netlogon", _String2="QBCFMONITORSERVICE") returned -3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="WORKSTATION") returned -6 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="LanmanWorkstation") returned 5 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="SERVER") returned -2 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="LanmanServer") returned 5 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="BROWSER") returned 15 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="BROWSER") returned 15 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="MESSENGER") returned 4 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="MESSENGER") returned 4 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETRUN") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETRUN") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="SPOOLER") returned -2 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="SPOOLER") returned -2 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="ALERTER") returned 16 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="ALERTER") returned 16 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETLOGON") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETLOGON") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETPOPUP") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="NETPOPUP") returned 3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="SQLSERVER") returned -2 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="SQLSERVER") returned -2 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="REPLICATOR") returned -1 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="REPLICATOR") returned -1 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="REMOTEBOOT") returned -1 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="REMOTEBOOT") returned -1 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="TIMESOURCE") returned -3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="TIMESOURCE") returned -3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="AFP") returned 16 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="AFP") returned 16 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="UPS") returned -4 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="UPS") returned -4 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="XACTSRV") returned -7 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="XACTSRV") returned -7 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="TCPIP") returned -3 [0286.050] _wcsicmp (_String1="QBCFMONITORSERVICE", _String2="TCPIP") returned -3 [0286.050] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x31c0828 [0286.051] OpenServiceW (hSCManager=0x31c0828, lpServiceName="QBCFMONITORSERVICE", dwDesiredAccess=0x84) returned 0x0 [0286.051] GetLastError () returned 0x424 [0286.051] CloseServiceHandle (hSCObject=0x31c0828) returned 1 [0286.051] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0286.051] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3000002 [0286.052] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3000002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0286.053] GetFileType (hFile=0x94) returned 0x2 [0286.053] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2ebfa44 | out: lpMode=0x2ebfa44) returned 1 [0286.053] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2ebfa50, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2ebfa50*=0x1e) returned 1 [0286.054] GetFileType (hFile=0x94) returned 0x2 [0286.054] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2ebfa44 | out: lpMode=0x2ebfa44) returned 1 [0286.054] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2ebfa50, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2ebfa50*=0x2) returned 1 [0286.054] _ultow (in: _Dest=0x889, _Radix=49019544 | out: _Dest=0x889) returned="2185" [0286.054] FormatMessageW (in: dwFlags=0x2800, lpSource=0x3000002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0286.055] GetFileType (hFile=0x94) returned 0x2 [0286.055] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2ebfa68 | out: lpMode=0x2ebfa68) returned 1 [0286.055] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2ebfa74, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2ebfa74*=0x34) returned 1 [0286.055] GetFileType (hFile=0x94) returned 0x2 [0286.055] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2ebfa68 | out: lpMode=0x2ebfa68) returned 1 [0286.056] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2ebfa74, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2ebfa74*=0x2) returned 1 [0286.056] NetApiBufferFree (Buffer=0x31b7d38) returned 0x0 [0286.056] NetApiBufferFree (Buffer=0x31b7de0) returned 0x0 [0286.056] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop QBCFMonitorService /y" [0286.056] exit (_Code=2) Thread: id = 115 os_tid = 0x11c4 Process: id = "46" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x17b5b000" os_pid = "0x1258" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop YooBackup /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 116 os_tid = 0x11c0 Thread: id = 120 os_tid = 0x11b4 Process: id = "47" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x17d6c000" os_pid = "0x11b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x1258" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 117 os_tid = 0x115c Thread: id = 118 os_tid = 0x760 Thread: id = 119 os_tid = 0xa50 Process: id = "48" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1b3eb000" os_pid = "0x1128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x1258" cmd_line = "C:\\WINDOWS\\system32\\net1 stop YooBackup /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 121 os_tid = 0x128c [0286.450] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0286.450] __set_app_type (_Type=0x1) [0286.450] __p__fmode () returned 0x776f3c14 [0286.450] __p__commode () returned 0x776f49ec [0286.450] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0286.450] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0286.450] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0286.450] GetConsoleOutputCP () returned 0x1b5 [0286.451] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0286.451] SetThreadUILanguage (LangId=0x0) returned 0x2ae0409 [0286.453] sprintf_s (in: _DstBuf=0x29efb50, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0286.454] setlocale (category=0, locale=".437") returned="English_United States.437" [0286.455] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0286.455] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.455] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop YooBackup /y" [0286.455] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29ef8f8, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0286.455] RtlAllocateHeap (HeapHandle=0x2d80000, Flags=0x0, Size=0x66) returned 0x2d89030 [0286.455] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0286.455] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29ef8f4 | out: Buffer=0x29ef8f4*=0x2d88560) returned 0x0 [0286.455] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29ef8f0 | out: Buffer=0x29ef8f0*=0x2d88578) returned 0x0 [0286.455] __iob_func () returned 0x776f2608 [0286.456] _fileno (_File=0x776f2608) returned 0 [0286.456] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0286.456] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0286.456] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0286.456] _wcsicmp (_String1="config", _String2="stop") returned -16 [0286.456] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0286.456] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0286.456] _wcsicmp (_String1="file", _String2="stop") returned -13 [0286.456] _wcsicmp (_String1="files", _String2="stop") returned -13 [0286.456] _wcsicmp (_String1="group", _String2="stop") returned -12 [0286.456] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0286.456] _wcsicmp (_String1="help", _String2="stop") returned -11 [0286.456] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0286.456] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0286.456] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0286.456] _wcsicmp (_String1="session", _String2="stop") returned -15 [0286.456] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0286.456] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0286.456] _wcsicmp (_String1="share", _String2="stop") returned -12 [0286.456] _wcsicmp (_String1="start", _String2="stop") returned -14 [0286.456] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0286.456] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0286.456] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0286.456] _wcsicmp (_String1="accounts", _String2="YooBackup") returned -24 [0286.456] _wcsicmp (_String1="computer", _String2="YooBackup") returned -22 [0286.456] _wcsicmp (_String1="config", _String2="YooBackup") returned -22 [0286.456] _wcsicmp (_String1="continue", _String2="YooBackup") returned -22 [0286.456] _wcsicmp (_String1="cont", _String2="YooBackup") returned -22 [0286.456] _wcsicmp (_String1="file", _String2="YooBackup") returned -19 [0286.456] _wcsicmp (_String1="files", _String2="YooBackup") returned -19 [0286.456] _wcsicmp (_String1="group", _String2="YooBackup") returned -18 [0286.456] _wcsicmp (_String1="groups", _String2="YooBackup") returned -18 [0286.456] _wcsicmp (_String1="help", _String2="YooBackup") returned -17 [0286.457] _wcsicmp (_String1="helpmsg", _String2="YooBackup") returned -17 [0286.457] _wcsicmp (_String1="localgroup", _String2="YooBackup") returned -13 [0286.457] _wcsicmp (_String1="pause", _String2="YooBackup") returned -9 [0286.457] _wcsicmp (_String1="session", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="sessions", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="sess", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="share", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="start", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="stats", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="statistics", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="stop", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="time", _String2="YooBackup") returned -5 [0286.457] _wcsicmp (_String1="user", _String2="YooBackup") returned -4 [0286.457] _wcsicmp (_String1="users", _String2="YooBackup") returned -4 [0286.457] _wcsicmp (_String1="msg", _String2="YooBackup") returned -12 [0286.457] _wcsicmp (_String1="messenger", _String2="YooBackup") returned -12 [0286.457] _wcsicmp (_String1="receiver", _String2="YooBackup") returned -7 [0286.457] _wcsicmp (_String1="rcv", _String2="YooBackup") returned -7 [0286.457] _wcsicmp (_String1="netpopup", _String2="YooBackup") returned -11 [0286.457] _wcsicmp (_String1="redirector", _String2="YooBackup") returned -7 [0286.457] _wcsicmp (_String1="redir", _String2="YooBackup") returned -7 [0286.457] _wcsicmp (_String1="rdr", _String2="YooBackup") returned -7 [0286.457] _wcsicmp (_String1="workstation", _String2="YooBackup") returned -2 [0286.457] _wcsicmp (_String1="work", _String2="YooBackup") returned -2 [0286.457] _wcsicmp (_String1="wksta", _String2="YooBackup") returned -2 [0286.457] _wcsicmp (_String1="prdr", _String2="YooBackup") returned -9 [0286.457] _wcsicmp (_String1="devrdr", _String2="YooBackup") returned -21 [0286.457] _wcsicmp (_String1="lanmanworkstation", _String2="YooBackup") returned -13 [0286.457] _wcsicmp (_String1="server", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="svr", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="srv", _String2="YooBackup") returned -6 [0286.457] _wcsicmp (_String1="lanmanserver", _String2="YooBackup") returned -13 [0286.457] _wcsicmp (_String1="alerter", _String2="YooBackup") returned -24 [0286.457] _wcsicmp (_String1="netlogon", _String2="YooBackup") returned -11 [0286.457] _wcsupr (in: _String="YooBackup" | out: _String="YOOBACKUP") returned="YOOBACKUP" [0286.458] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d909b0 [0286.460] GetServiceKeyNameW (in: hSCManager=0x2d909b0, lpDisplayName="YOOBACKUP", lpServiceName=0x1c8c28, lpcchBuffer=0x29ef864 | out: lpServiceName="", lpcchBuffer=0x29ef864) returned 0 [0286.461] _wcsicmp (_String1="msg", _String2="YOOBACKUP") returned -12 [0286.461] _wcsicmp (_String1="messenger", _String2="YOOBACKUP") returned -12 [0286.461] _wcsicmp (_String1="receiver", _String2="YOOBACKUP") returned -7 [0286.461] _wcsicmp (_String1="rcv", _String2="YOOBACKUP") returned -7 [0286.461] _wcsicmp (_String1="redirector", _String2="YOOBACKUP") returned -7 [0286.461] _wcsicmp (_String1="redir", _String2="YOOBACKUP") returned -7 [0286.461] _wcsicmp (_String1="rdr", _String2="YOOBACKUP") returned -7 [0286.461] _wcsicmp (_String1="workstation", _String2="YOOBACKUP") returned -2 [0286.461] _wcsicmp (_String1="work", _String2="YOOBACKUP") returned -2 [0286.461] _wcsicmp (_String1="wksta", _String2="YOOBACKUP") returned -2 [0286.461] _wcsicmp (_String1="prdr", _String2="YOOBACKUP") returned -9 [0286.461] _wcsicmp (_String1="devrdr", _String2="YOOBACKUP") returned -21 [0286.461] _wcsicmp (_String1="lanmanworkstation", _String2="YOOBACKUP") returned -13 [0286.462] _wcsicmp (_String1="server", _String2="YOOBACKUP") returned -6 [0286.462] _wcsicmp (_String1="svr", _String2="YOOBACKUP") returned -6 [0286.462] _wcsicmp (_String1="srv", _String2="YOOBACKUP") returned -6 [0286.462] _wcsicmp (_String1="lanmanserver", _String2="YOOBACKUP") returned -13 [0286.462] _wcsicmp (_String1="alerter", _String2="YOOBACKUP") returned -24 [0286.462] _wcsicmp (_String1="netlogon", _String2="YOOBACKUP") returned -11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="WORKSTATION") returned 2 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="LanmanWorkstation") returned 13 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="SERVER") returned 6 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="LanmanServer") returned 13 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="BROWSER") returned 23 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="BROWSER") returned 23 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="MESSENGER") returned 12 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="MESSENGER") returned 12 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETRUN") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETRUN") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="SPOOLER") returned 6 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="SPOOLER") returned 6 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="ALERTER") returned 24 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="ALERTER") returned 24 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETLOGON") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETLOGON") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETPOPUP") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="NETPOPUP") returned 11 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="SQLSERVER") returned 6 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="SQLSERVER") returned 6 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="REPLICATOR") returned 7 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="REPLICATOR") returned 7 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="REMOTEBOOT") returned 7 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="REMOTEBOOT") returned 7 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="TIMESOURCE") returned 5 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="TIMESOURCE") returned 5 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="AFP") returned 24 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="AFP") returned 24 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="UPS") returned 4 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="UPS") returned 4 [0286.462] _wcsicmp (_String1="YOOBACKUP", _String2="XACTSRV") returned 1 [0286.463] _wcsicmp (_String1="YOOBACKUP", _String2="XACTSRV") returned 1 [0286.463] _wcsicmp (_String1="YOOBACKUP", _String2="TCPIP") returned 5 [0286.463] _wcsicmp (_String1="YOOBACKUP", _String2="TCPIP") returned 5 [0286.463] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2d909d8 [0286.463] OpenServiceW (hSCManager=0x2d909d8, lpServiceName="YOOBACKUP", dwDesiredAccess=0x84) returned 0x0 [0286.463] GetLastError () returned 0x424 [0286.463] CloseServiceHandle (hSCObject=0x2d909d8) returned 1 [0286.464] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0286.464] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2d40002 [0286.464] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2d40002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0286.465] GetFileType (hFile=0x94) returned 0x2 [0286.465] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29ef6f4 | out: lpMode=0x29ef6f4) returned 1 [0286.466] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x29ef700, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x29ef700*=0x1e) returned 1 [0286.466] GetFileType (hFile=0x94) returned 0x2 [0286.466] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29ef6f4 | out: lpMode=0x29ef6f4) returned 1 [0286.467] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29ef700, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x29ef700*=0x2) returned 1 [0286.467] _ultow (in: _Dest=0x889, _Radix=43972424 | out: _Dest=0x889) returned="2185" [0286.467] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2d40002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0286.467] GetFileType (hFile=0x94) returned 0x2 [0286.467] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29ef718 | out: lpMode=0x29ef718) returned 1 [0286.468] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x29ef724, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x29ef724*=0x34) returned 1 [0286.468] GetFileType (hFile=0x94) returned 0x2 [0286.468] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x29ef718 | out: lpMode=0x29ef718) returned 1 [0286.468] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29ef724, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x29ef724*=0x2) returned 1 [0286.469] NetApiBufferFree (Buffer=0x2d88560) returned 0x0 [0286.469] NetApiBufferFree (Buffer=0x2d88578) returned 0x0 [0286.469] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop YooBackup /y" [0286.469] exit (_Code=2) Thread: id = 122 os_tid = 0x12a4 Process: id = "49" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0xb360000" os_pid = "0x1314" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop YooIT /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0x12ac Thread: id = 127 os_tid = 0x1184 Process: id = "50" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59b4e000" os_pid = "0x1220" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x1314" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 124 os_tid = 0x1320 Thread: id = 125 os_tid = 0x1040 Thread: id = 126 os_tid = 0x1188 Process: id = "51" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x3aad3000" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x1314" cmd_line = "C:\\WINDOWS\\system32\\net1 stop YooIT /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 128 os_tid = 0x8 [0286.825] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0286.826] __set_app_type (_Type=0x1) [0286.826] __p__fmode () returned 0x776f3c14 [0286.826] __p__commode () returned 0x776f49ec [0286.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0286.826] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0286.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0286.826] GetConsoleOutputCP () returned 0x1b5 [0286.826] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0286.826] SetThreadUILanguage (LangId=0x0) returned 0x2270409 [0286.829] sprintf_s (in: _DstBuf=0x24bfae8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0286.829] setlocale (category=0, locale=".437") returned="English_United States.437" [0286.831] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0286.831] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0286.831] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop YooIT /y" [0286.831] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24bf890, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0286.831] RtlAllocateHeap (HeapHandle=0x2630000, Flags=0x0, Size=0x5e) returned 0x2634388 [0286.831] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0286.831] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24bf88c | out: Buffer=0x24bf88c*=0x2637d88) returned 0x0 [0286.831] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24bf888 | out: Buffer=0x24bf888*=0x2637da0) returned 0x0 [0286.831] __iob_func () returned 0x776f2608 [0286.831] _fileno (_File=0x776f2608) returned 0 [0286.831] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0286.831] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0286.831] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0286.831] _wcsicmp (_String1="config", _String2="stop") returned -16 [0286.831] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0286.831] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0286.831] _wcsicmp (_String1="file", _String2="stop") returned -13 [0286.831] _wcsicmp (_String1="files", _String2="stop") returned -13 [0286.831] _wcsicmp (_String1="group", _String2="stop") returned -12 [0286.831] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0286.831] _wcsicmp (_String1="help", _String2="stop") returned -11 [0286.831] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0286.831] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0286.831] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0286.831] _wcsicmp (_String1="session", _String2="stop") returned -15 [0286.832] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0286.832] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0286.832] _wcsicmp (_String1="share", _String2="stop") returned -12 [0286.832] _wcsicmp (_String1="start", _String2="stop") returned -14 [0286.832] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0286.832] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0286.832] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0286.832] _wcsicmp (_String1="accounts", _String2="YooIT") returned -24 [0286.832] _wcsicmp (_String1="computer", _String2="YooIT") returned -22 [0286.832] _wcsicmp (_String1="config", _String2="YooIT") returned -22 [0286.832] _wcsicmp (_String1="continue", _String2="YooIT") returned -22 [0286.832] _wcsicmp (_String1="cont", _String2="YooIT") returned -22 [0286.832] _wcsicmp (_String1="file", _String2="YooIT") returned -19 [0286.832] _wcsicmp (_String1="files", _String2="YooIT") returned -19 [0286.832] _wcsicmp (_String1="group", _String2="YooIT") returned -18 [0286.832] _wcsicmp (_String1="groups", _String2="YooIT") returned -18 [0286.832] _wcsicmp (_String1="help", _String2="YooIT") returned -17 [0286.832] _wcsicmp (_String1="helpmsg", _String2="YooIT") returned -17 [0286.832] _wcsicmp (_String1="localgroup", _String2="YooIT") returned -13 [0286.832] _wcsicmp (_String1="pause", _String2="YooIT") returned -9 [0286.832] _wcsicmp (_String1="session", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="sessions", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="sess", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="share", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="start", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="stats", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="statistics", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="stop", _String2="YooIT") returned -6 [0286.832] _wcsicmp (_String1="time", _String2="YooIT") returned -5 [0286.832] _wcsicmp (_String1="user", _String2="YooIT") returned -4 [0286.832] _wcsicmp (_String1="users", _String2="YooIT") returned -4 [0286.832] _wcsicmp (_String1="msg", _String2="YooIT") returned -12 [0286.832] _wcsicmp (_String1="messenger", _String2="YooIT") returned -12 [0286.832] _wcsicmp (_String1="receiver", _String2="YooIT") returned -7 [0286.833] _wcsicmp (_String1="rcv", _String2="YooIT") returned -7 [0286.833] _wcsicmp (_String1="netpopup", _String2="YooIT") returned -11 [0286.833] _wcsicmp (_String1="redirector", _String2="YooIT") returned -7 [0286.833] _wcsicmp (_String1="redir", _String2="YooIT") returned -7 [0286.833] _wcsicmp (_String1="rdr", _String2="YooIT") returned -7 [0286.833] _wcsicmp (_String1="workstation", _String2="YooIT") returned -2 [0286.833] _wcsicmp (_String1="work", _String2="YooIT") returned -2 [0286.833] _wcsicmp (_String1="wksta", _String2="YooIT") returned -2 [0286.833] _wcsicmp (_String1="prdr", _String2="YooIT") returned -9 [0286.833] _wcsicmp (_String1="devrdr", _String2="YooIT") returned -21 [0286.833] _wcsicmp (_String1="lanmanworkstation", _String2="YooIT") returned -13 [0286.833] _wcsicmp (_String1="server", _String2="YooIT") returned -6 [0286.833] _wcsicmp (_String1="svr", _String2="YooIT") returned -6 [0286.833] _wcsicmp (_String1="srv", _String2="YooIT") returned -6 [0286.833] _wcsicmp (_String1="lanmanserver", _String2="YooIT") returned -13 [0286.833] _wcsicmp (_String1="alerter", _String2="YooIT") returned -24 [0286.833] _wcsicmp (_String1="netlogon", _String2="YooIT") returned -11 [0286.833] _wcsupr (in: _String="YooIT" | out: _String="YOOIT") returned="YOOIT" [0286.833] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x26407c8 [0286.836] GetServiceKeyNameW (in: hSCManager=0x26407c8, lpDisplayName="YOOIT", lpServiceName=0x1c8c28, lpcchBuffer=0x24bf7fc | out: lpServiceName="", lpcchBuffer=0x24bf7fc) returned 0 [0286.837] _wcsicmp (_String1="msg", _String2="YOOIT") returned -12 [0286.837] _wcsicmp (_String1="messenger", _String2="YOOIT") returned -12 [0286.837] _wcsicmp (_String1="receiver", _String2="YOOIT") returned -7 [0286.837] _wcsicmp (_String1="rcv", _String2="YOOIT") returned -7 [0286.837] _wcsicmp (_String1="redirector", _String2="YOOIT") returned -7 [0286.837] _wcsicmp (_String1="redir", _String2="YOOIT") returned -7 [0286.837] _wcsicmp (_String1="rdr", _String2="YOOIT") returned -7 [0286.837] _wcsicmp (_String1="workstation", _String2="YOOIT") returned -2 [0286.837] _wcsicmp (_String1="work", _String2="YOOIT") returned -2 [0286.837] _wcsicmp (_String1="wksta", _String2="YOOIT") returned -2 [0286.837] _wcsicmp (_String1="prdr", _String2="YOOIT") returned -9 [0286.837] _wcsicmp (_String1="devrdr", _String2="YOOIT") returned -21 [0286.837] _wcsicmp (_String1="lanmanworkstation", _String2="YOOIT") returned -13 [0286.837] _wcsicmp (_String1="server", _String2="YOOIT") returned -6 [0286.837] _wcsicmp (_String1="svr", _String2="YOOIT") returned -6 [0286.837] _wcsicmp (_String1="srv", _String2="YOOIT") returned -6 [0286.837] _wcsicmp (_String1="lanmanserver", _String2="YOOIT") returned -13 [0286.837] _wcsicmp (_String1="alerter", _String2="YOOIT") returned -24 [0286.837] _wcsicmp (_String1="netlogon", _String2="YOOIT") returned -11 [0286.837] _wcsicmp (_String1="YOOIT", _String2="WORKSTATION") returned 2 [0286.837] _wcsicmp (_String1="YOOIT", _String2="LanmanWorkstation") returned 13 [0286.837] _wcsicmp (_String1="YOOIT", _String2="SERVER") returned 6 [0286.837] _wcsicmp (_String1="YOOIT", _String2="LanmanServer") returned 13 [0286.837] _wcsicmp (_String1="YOOIT", _String2="BROWSER") returned 23 [0286.837] _wcsicmp (_String1="YOOIT", _String2="BROWSER") returned 23 [0286.837] _wcsicmp (_String1="YOOIT", _String2="MESSENGER") returned 12 [0286.837] _wcsicmp (_String1="YOOIT", _String2="MESSENGER") returned 12 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETRUN") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETRUN") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="SPOOLER") returned 6 [0286.838] _wcsicmp (_String1="YOOIT", _String2="SPOOLER") returned 6 [0286.838] _wcsicmp (_String1="YOOIT", _String2="ALERTER") returned 24 [0286.838] _wcsicmp (_String1="YOOIT", _String2="ALERTER") returned 24 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETLOGON") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETLOGON") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETPOPUP") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="NETPOPUP") returned 11 [0286.838] _wcsicmp (_String1="YOOIT", _String2="SQLSERVER") returned 6 [0286.838] _wcsicmp (_String1="YOOIT", _String2="SQLSERVER") returned 6 [0286.838] _wcsicmp (_String1="YOOIT", _String2="REPLICATOR") returned 7 [0286.838] _wcsicmp (_String1="YOOIT", _String2="REPLICATOR") returned 7 [0286.838] _wcsicmp (_String1="YOOIT", _String2="REMOTEBOOT") returned 7 [0286.838] _wcsicmp (_String1="YOOIT", _String2="REMOTEBOOT") returned 7 [0286.838] _wcsicmp (_String1="YOOIT", _String2="TIMESOURCE") returned 5 [0286.838] _wcsicmp (_String1="YOOIT", _String2="TIMESOURCE") returned 5 [0286.838] _wcsicmp (_String1="YOOIT", _String2="AFP") returned 24 [0286.838] _wcsicmp (_String1="YOOIT", _String2="AFP") returned 24 [0286.838] _wcsicmp (_String1="YOOIT", _String2="UPS") returned 4 [0286.838] _wcsicmp (_String1="YOOIT", _String2="UPS") returned 4 [0286.838] _wcsicmp (_String1="YOOIT", _String2="XACTSRV") returned 1 [0286.838] _wcsicmp (_String1="YOOIT", _String2="XACTSRV") returned 1 [0286.838] _wcsicmp (_String1="YOOIT", _String2="TCPIP") returned 5 [0286.838] _wcsicmp (_String1="YOOIT", _String2="TCPIP") returned 5 [0286.838] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x26408b8 [0286.839] OpenServiceW (hSCManager=0x26408b8, lpServiceName="YOOIT", dwDesiredAccess=0x84) returned 0x0 [0286.839] GetLastError () returned 0x424 [0286.840] CloseServiceHandle (hSCObject=0x26408b8) returned 1 [0286.840] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0286.840] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x21e0002 [0286.841] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x21e0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0286.842] GetFileType (hFile=0x94) returned 0x2 [0286.842] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x24bf68c | out: lpMode=0x24bf68c) returned 1 [0286.842] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24bf698, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x24bf698*=0x1e) returned 1 [0286.843] GetFileType (hFile=0x94) returned 0x2 [0286.843] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x24bf68c | out: lpMode=0x24bf68c) returned 1 [0286.843] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24bf698, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x24bf698*=0x2) returned 1 [0286.843] _ultow (in: _Dest=0x889, _Radix=38532832 | out: _Dest=0x889) returned="2185" [0286.843] FormatMessageW (in: dwFlags=0x2800, lpSource=0x21e0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0286.843] GetFileType (hFile=0x94) returned 0x2 [0286.843] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x24bf6b0 | out: lpMode=0x24bf6b0) returned 1 [0286.844] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24bf6bc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x24bf6bc*=0x34) returned 1 [0286.844] GetFileType (hFile=0x94) returned 0x2 [0286.844] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x24bf6b0 | out: lpMode=0x24bf6b0) returned 1 [0286.844] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24bf6bc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x24bf6bc*=0x2) returned 1 [0286.845] NetApiBufferFree (Buffer=0x2637d88) returned 0x0 [0286.845] NetApiBufferFree (Buffer=0x2637da0) returned 0x0 [0286.845] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop YooIT /y" [0286.845] exit (_Code=2) Thread: id = 129 os_tid = 0xf98 Process: id = "52" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x34e3000" os_pid = "0xed0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop zhudongfangyu /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 130 os_tid = 0xeac Thread: id = 134 os_tid = 0x12a8 Process: id = "53" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x55998000" os_pid = "0xf78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xed0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 131 os_tid = 0x11a0 Thread: id = 132 os_tid = 0x1144 Thread: id = 133 os_tid = 0x1158 Process: id = "54" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5dff6000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xed0" cmd_line = "C:\\WINDOWS\\system32\\net1 stop zhudongfangyu /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 135 os_tid = 0x1230 [0287.287] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0287.287] __set_app_type (_Type=0x1) [0287.287] __p__fmode () returned 0x776f3c14 [0287.287] __p__commode () returned 0x776f49ec [0287.287] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0287.287] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0287.287] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0287.287] GetConsoleOutputCP () returned 0x1b5 [0287.288] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0287.288] SetThreadUILanguage (LangId=0x0) returned 0x24a0409 [0287.290] sprintf_s (in: _DstBuf=0x26ef8f4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0287.291] setlocale (category=0, locale=".437") returned="English_United States.437" [0287.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x64c [0287.293] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0287.293] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop zhudongfangyu /y" [0287.293] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26ef69c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0287.293] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x0, Size=0x6e) returned 0x28e7880 [0287.293] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0287.293] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26ef698 | out: Buffer=0x26ef698*=0x28e8640) returned 0x0 [0287.293] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26ef694 | out: Buffer=0x26ef694*=0x28e8658) returned 0x0 [0287.293] __iob_func () returned 0x776f2608 [0287.293] _fileno (_File=0x776f2608) returned 0 [0287.293] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0287.293] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0287.293] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0287.293] _wcsicmp (_String1="config", _String2="stop") returned -16 [0287.293] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0287.293] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0287.293] _wcsicmp (_String1="file", _String2="stop") returned -13 [0287.293] _wcsicmp (_String1="files", _String2="stop") returned -13 [0287.293] _wcsicmp (_String1="group", _String2="stop") returned -12 [0287.293] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0287.293] _wcsicmp (_String1="help", _String2="stop") returned -11 [0287.293] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0287.293] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0287.293] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0287.293] _wcsicmp (_String1="session", _String2="stop") returned -15 [0287.293] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0287.293] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0287.293] _wcsicmp (_String1="share", _String2="stop") returned -12 [0287.293] _wcsicmp (_String1="start", _String2="stop") returned -14 [0287.294] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0287.294] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0287.294] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0287.294] _wcsicmp (_String1="accounts", _String2="zhudongfangyu") returned -25 [0287.294] _wcsicmp (_String1="computer", _String2="zhudongfangyu") returned -23 [0287.294] _wcsicmp (_String1="config", _String2="zhudongfangyu") returned -23 [0287.294] _wcsicmp (_String1="continue", _String2="zhudongfangyu") returned -23 [0287.294] _wcsicmp (_String1="cont", _String2="zhudongfangyu") returned -23 [0287.294] _wcsicmp (_String1="file", _String2="zhudongfangyu") returned -20 [0287.294] _wcsicmp (_String1="files", _String2="zhudongfangyu") returned -20 [0287.294] _wcsicmp (_String1="group", _String2="zhudongfangyu") returned -19 [0287.294] _wcsicmp (_String1="groups", _String2="zhudongfangyu") returned -19 [0287.294] _wcsicmp (_String1="help", _String2="zhudongfangyu") returned -18 [0287.294] _wcsicmp (_String1="helpmsg", _String2="zhudongfangyu") returned -18 [0287.294] _wcsicmp (_String1="localgroup", _String2="zhudongfangyu") returned -14 [0287.294] _wcsicmp (_String1="pause", _String2="zhudongfangyu") returned -10 [0287.294] _wcsicmp (_String1="session", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="sessions", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="sess", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="share", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="start", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="stats", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="statistics", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="stop", _String2="zhudongfangyu") returned -7 [0287.294] _wcsicmp (_String1="time", _String2="zhudongfangyu") returned -6 [0287.294] _wcsicmp (_String1="user", _String2="zhudongfangyu") returned -5 [0287.294] _wcsicmp (_String1="users", _String2="zhudongfangyu") returned -5 [0287.294] _wcsicmp (_String1="msg", _String2="zhudongfangyu") returned -13 [0287.294] _wcsicmp (_String1="messenger", _String2="zhudongfangyu") returned -13 [0287.294] _wcsicmp (_String1="receiver", _String2="zhudongfangyu") returned -8 [0287.294] _wcsicmp (_String1="rcv", _String2="zhudongfangyu") returned -8 [0287.294] _wcsicmp (_String1="netpopup", _String2="zhudongfangyu") returned -12 [0287.294] _wcsicmp (_String1="redirector", _String2="zhudongfangyu") returned -8 [0287.294] _wcsicmp (_String1="redir", _String2="zhudongfangyu") returned -8 [0287.294] _wcsicmp (_String1="rdr", _String2="zhudongfangyu") returned -8 [0287.294] _wcsicmp (_String1="workstation", _String2="zhudongfangyu") returned -3 [0287.294] _wcsicmp (_String1="work", _String2="zhudongfangyu") returned -3 [0287.295] _wcsicmp (_String1="wksta", _String2="zhudongfangyu") returned -3 [0287.295] _wcsicmp (_String1="prdr", _String2="zhudongfangyu") returned -10 [0287.295] _wcsicmp (_String1="devrdr", _String2="zhudongfangyu") returned -22 [0287.295] _wcsicmp (_String1="lanmanworkstation", _String2="zhudongfangyu") returned -14 [0287.295] _wcsicmp (_String1="server", _String2="zhudongfangyu") returned -7 [0287.295] _wcsicmp (_String1="svr", _String2="zhudongfangyu") returned -7 [0287.295] _wcsicmp (_String1="srv", _String2="zhudongfangyu") returned -7 [0287.295] _wcsicmp (_String1="lanmanserver", _String2="zhudongfangyu") returned -14 [0287.295] _wcsicmp (_String1="alerter", _String2="zhudongfangyu") returned -25 [0287.295] _wcsicmp (_String1="netlogon", _String2="zhudongfangyu") returned -12 [0287.295] _wcsupr (in: _String="zhudongfangyu" | out: _String="ZHUDONGFANGYU") returned="ZHUDONGFANGYU" [0287.295] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28f0930 [0287.298] GetServiceKeyNameW (in: hSCManager=0x28f0930, lpDisplayName="ZHUDONGFANGYU", lpServiceName=0x1c8c28, lpcchBuffer=0x26ef60c | out: lpServiceName="", lpcchBuffer=0x26ef60c) returned 0 [0287.299] _wcsicmp (_String1="msg", _String2="ZHUDONGFANGYU") returned -13 [0287.299] _wcsicmp (_String1="messenger", _String2="ZHUDONGFANGYU") returned -13 [0287.299] _wcsicmp (_String1="receiver", _String2="ZHUDONGFANGYU") returned -8 [0287.299] _wcsicmp (_String1="rcv", _String2="ZHUDONGFANGYU") returned -8 [0287.299] _wcsicmp (_String1="redirector", _String2="ZHUDONGFANGYU") returned -8 [0287.299] _wcsicmp (_String1="redir", _String2="ZHUDONGFANGYU") returned -8 [0287.299] _wcsicmp (_String1="rdr", _String2="ZHUDONGFANGYU") returned -8 [0287.299] _wcsicmp (_String1="workstation", _String2="ZHUDONGFANGYU") returned -3 [0287.299] _wcsicmp (_String1="work", _String2="ZHUDONGFANGYU") returned -3 [0287.299] _wcsicmp (_String1="wksta", _String2="ZHUDONGFANGYU") returned -3 [0287.299] _wcsicmp (_String1="prdr", _String2="ZHUDONGFANGYU") returned -10 [0287.299] _wcsicmp (_String1="devrdr", _String2="ZHUDONGFANGYU") returned -22 [0287.299] _wcsicmp (_String1="lanmanworkstation", _String2="ZHUDONGFANGYU") returned -14 [0287.299] _wcsicmp (_String1="server", _String2="ZHUDONGFANGYU") returned -7 [0287.299] _wcsicmp (_String1="svr", _String2="ZHUDONGFANGYU") returned -7 [0287.299] _wcsicmp (_String1="srv", _String2="ZHUDONGFANGYU") returned -7 [0287.299] _wcsicmp (_String1="lanmanserver", _String2="ZHUDONGFANGYU") returned -14 [0287.299] _wcsicmp (_String1="alerter", _String2="ZHUDONGFANGYU") returned -25 [0287.299] _wcsicmp (_String1="netlogon", _String2="ZHUDONGFANGYU") returned -12 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="WORKSTATION") returned 3 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="LanmanWorkstation") returned 14 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="SERVER") returned 7 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="LanmanServer") returned 14 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="BROWSER") returned 24 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="BROWSER") returned 24 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="MESSENGER") returned 13 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="MESSENGER") returned 13 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETRUN") returned 12 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETRUN") returned 12 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="SPOOLER") returned 7 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="SPOOLER") returned 7 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="ALERTER") returned 25 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="ALERTER") returned 25 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETLOGON") returned 12 [0287.299] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETLOGON") returned 12 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETPOPUP") returned 12 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="NETPOPUP") returned 12 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="SQLSERVER") returned 7 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="SQLSERVER") returned 7 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="REPLICATOR") returned 8 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="REPLICATOR") returned 8 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="REMOTEBOOT") returned 8 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="REMOTEBOOT") returned 8 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="TIMESOURCE") returned 6 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="TIMESOURCE") returned 6 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="AFP") returned 25 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="AFP") returned 25 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="UPS") returned 5 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="UPS") returned 5 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="XACTSRV") returned 2 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="XACTSRV") returned 2 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="TCPIP") returned 6 [0287.300] _wcsicmp (_String1="ZHUDONGFANGYU", _String2="TCPIP") returned 6 [0287.300] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x28f0818 [0287.300] OpenServiceW (hSCManager=0x28f0818, lpServiceName="ZHUDONGFANGYU", dwDesiredAccess=0x84) returned 0x0 [0287.301] GetLastError () returned 0x424 [0287.301] CloseServiceHandle (hSCObject=0x28f0818) returned 1 [0287.301] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0287.301] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2760002 [0287.302] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2760002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0287.302] GetFileType (hFile=0x94) returned 0x2 [0287.302] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef49c | out: lpMode=0x26ef49c) returned 1 [0287.303] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26ef4a8, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26ef4a8*=0x1e) returned 1 [0287.303] GetFileType (hFile=0x94) returned 0x2 [0287.303] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef49c | out: lpMode=0x26ef49c) returned 1 [0287.303] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26ef4a8, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26ef4a8*=0x2) returned 1 [0287.304] _ultow (in: _Dest=0x889, _Radix=40826096 | out: _Dest=0x889) returned="2185" [0287.304] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2760002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0287.304] GetFileType (hFile=0x94) returned 0x2 [0287.304] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef4c0 | out: lpMode=0x26ef4c0) returned 1 [0287.304] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26ef4cc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26ef4cc*=0x34) returned 1 [0287.304] GetFileType (hFile=0x94) returned 0x2 [0287.304] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef4c0 | out: lpMode=0x26ef4c0) returned 1 [0287.305] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26ef4cc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26ef4cc*=0x2) returned 1 [0287.305] NetApiBufferFree (Buffer=0x28e8640) returned 0x0 [0287.305] NetApiBufferFree (Buffer=0x28e8658) returned 0x0 [0287.305] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop zhudongfangyu /y" [0287.305] exit (_Code=2) Thread: id = 136 os_tid = 0x12f4 Process: id = "55" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x16be8000" os_pid = "0x1094" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop stc_raw_agent /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 137 os_tid = 0x119c Thread: id = 141 os_tid = 0x4f4 Process: id = "56" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x16dee000" os_pid = "0xa4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0x1094" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 138 os_tid = 0xfec Thread: id = 139 os_tid = 0xf7c Thread: id = 140 os_tid = 0x310 Process: id = "57" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x170ec000" os_pid = "0x1240" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0x1094" cmd_line = "C:\\WINDOWS\\system32\\net1 stop stc_raw_agent /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 142 os_tid = 0xef0 [0287.659] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0287.659] __set_app_type (_Type=0x1) [0287.659] __p__fmode () returned 0x776f3c14 [0287.659] __p__commode () returned 0x776f49ec [0287.659] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0287.659] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0287.660] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0287.660] GetConsoleOutputCP () returned 0x1b5 [0287.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0287.661] SetThreadUILanguage (LangId=0x0) returned 0x2980409 [0287.663] sprintf_s (in: _DstBuf=0x279fb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0287.664] setlocale (category=0, locale=".437") returned="English_United States.437" [0287.665] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0287.665] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0287.665] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop stc_raw_agent /y" [0287.665] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x279f940, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0287.665] RtlAllocateHeap (HeapHandle=0x2d90000, Flags=0x0, Size=0x6e) returned 0x2d97880 [0287.665] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0287.665] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x279f93c | out: Buffer=0x279f93c*=0x2d98640) returned 0x0 [0287.665] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x279f938 | out: Buffer=0x279f938*=0x2d984a8) returned 0x0 [0287.665] __iob_func () returned 0x776f2608 [0287.666] _fileno (_File=0x776f2608) returned 0 [0287.666] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0287.666] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0287.666] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0287.666] _wcsicmp (_String1="config", _String2="stop") returned -16 [0287.666] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0287.666] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0287.666] _wcsicmp (_String1="file", _String2="stop") returned -13 [0287.666] _wcsicmp (_String1="files", _String2="stop") returned -13 [0287.666] _wcsicmp (_String1="group", _String2="stop") returned -12 [0287.666] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0287.666] _wcsicmp (_String1="help", _String2="stop") returned -11 [0287.666] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0287.666] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0287.666] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0287.666] _wcsicmp (_String1="session", _String2="stop") returned -15 [0287.666] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0287.666] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0287.666] _wcsicmp (_String1="share", _String2="stop") returned -12 [0287.666] _wcsicmp (_String1="start", _String2="stop") returned -14 [0287.666] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0287.666] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0287.666] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0287.666] _wcsicmp (_String1="accounts", _String2="stc_raw_agent") returned -18 [0287.666] _wcsicmp (_String1="computer", _String2="stc_raw_agent") returned -16 [0287.666] _wcsicmp (_String1="config", _String2="stc_raw_agent") returned -16 [0287.666] _wcsicmp (_String1="continue", _String2="stc_raw_agent") returned -16 [0287.666] _wcsicmp (_String1="cont", _String2="stc_raw_agent") returned -16 [0287.666] _wcsicmp (_String1="file", _String2="stc_raw_agent") returned -13 [0287.666] _wcsicmp (_String1="files", _String2="stc_raw_agent") returned -13 [0287.666] _wcsicmp (_String1="group", _String2="stc_raw_agent") returned -12 [0287.666] _wcsicmp (_String1="groups", _String2="stc_raw_agent") returned -12 [0287.667] _wcsicmp (_String1="help", _String2="stc_raw_agent") returned -11 [0287.667] _wcsicmp (_String1="helpmsg", _String2="stc_raw_agent") returned -11 [0287.667] _wcsicmp (_String1="localgroup", _String2="stc_raw_agent") returned -7 [0287.667] _wcsicmp (_String1="pause", _String2="stc_raw_agent") returned -3 [0287.667] _wcsicmp (_String1="session", _String2="stc_raw_agent") returned -15 [0287.667] _wcsicmp (_String1="sessions", _String2="stc_raw_agent") returned -15 [0287.667] _wcsicmp (_String1="sess", _String2="stc_raw_agent") returned -15 [0287.667] _wcsicmp (_String1="share", _String2="stc_raw_agent") returned -12 [0287.667] _wcsicmp (_String1="start", _String2="stc_raw_agent") returned -2 [0287.667] _wcsicmp (_String1="stats", _String2="stc_raw_agent") returned -2 [0287.667] _wcsicmp (_String1="statistics", _String2="stc_raw_agent") returned -2 [0287.667] _wcsicmp (_String1="stop", _String2="stc_raw_agent") returned 12 [0287.667] _wcsicmp (_String1="time", _String2="stc_raw_agent") returned 1 [0287.667] _wcsicmp (_String1="user", _String2="stc_raw_agent") returned 2 [0287.667] _wcsicmp (_String1="users", _String2="stc_raw_agent") returned 2 [0287.667] _wcsicmp (_String1="msg", _String2="stc_raw_agent") returned -6 [0287.667] _wcsicmp (_String1="messenger", _String2="stc_raw_agent") returned -6 [0287.667] _wcsicmp (_String1="receiver", _String2="stc_raw_agent") returned -1 [0287.667] _wcsicmp (_String1="rcv", _String2="stc_raw_agent") returned -1 [0287.667] _wcsicmp (_String1="netpopup", _String2="stc_raw_agent") returned -5 [0287.668] _wcsicmp (_String1="redirector", _String2="stc_raw_agent") returned -1 [0287.668] _wcsicmp (_String1="redir", _String2="stc_raw_agent") returned -1 [0287.668] _wcsicmp (_String1="rdr", _String2="stc_raw_agent") returned -1 [0287.668] _wcsicmp (_String1="workstation", _String2="stc_raw_agent") returned 4 [0287.668] _wcsicmp (_String1="work", _String2="stc_raw_agent") returned 4 [0287.668] _wcsicmp (_String1="wksta", _String2="stc_raw_agent") returned 4 [0287.668] _wcsicmp (_String1="prdr", _String2="stc_raw_agent") returned -3 [0287.668] _wcsicmp (_String1="devrdr", _String2="stc_raw_agent") returned -15 [0287.668] _wcsicmp (_String1="lanmanworkstation", _String2="stc_raw_agent") returned -7 [0287.668] _wcsicmp (_String1="server", _String2="stc_raw_agent") returned -15 [0287.668] _wcsicmp (_String1="svr", _String2="stc_raw_agent") returned 2 [0287.668] _wcsicmp (_String1="srv", _String2="stc_raw_agent") returned -2 [0287.668] _wcsicmp (_String1="lanmanserver", _String2="stc_raw_agent") returned -7 [0287.668] _wcsicmp (_String1="alerter", _String2="stc_raw_agent") returned -18 [0287.668] _wcsicmp (_String1="netlogon", _String2="stc_raw_agent") returned -5 [0287.668] _wcsupr (in: _String="stc_raw_agent" | out: _String="STC_RAW_AGENT") returned="STC_RAW_AGENT" [0287.668] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2da07f0 [0287.671] GetServiceKeyNameW (in: hSCManager=0x2da07f0, lpDisplayName="STC_RAW_AGENT", lpServiceName=0x1c8c28, lpcchBuffer=0x279f8ac | out: lpServiceName="", lpcchBuffer=0x279f8ac) returned 0 [0287.672] _wcsicmp (_String1="msg", _String2="STC_RAW_AGENT") returned -6 [0287.672] _wcsicmp (_String1="messenger", _String2="STC_RAW_AGENT") returned -6 [0287.672] _wcsicmp (_String1="receiver", _String2="STC_RAW_AGENT") returned -1 [0287.672] _wcsicmp (_String1="rcv", _String2="STC_RAW_AGENT") returned -1 [0287.672] _wcsicmp (_String1="redirector", _String2="STC_RAW_AGENT") returned -1 [0287.672] _wcsicmp (_String1="redir", _String2="STC_RAW_AGENT") returned -1 [0287.672] _wcsicmp (_String1="rdr", _String2="STC_RAW_AGENT") returned -1 [0287.672] _wcsicmp (_String1="workstation", _String2="STC_RAW_AGENT") returned 4 [0287.672] _wcsicmp (_String1="work", _String2="STC_RAW_AGENT") returned 4 [0287.672] _wcsicmp (_String1="wksta", _String2="STC_RAW_AGENT") returned 4 [0287.672] _wcsicmp (_String1="prdr", _String2="STC_RAW_AGENT") returned -3 [0287.672] _wcsicmp (_String1="devrdr", _String2="STC_RAW_AGENT") returned -15 [0287.672] _wcsicmp (_String1="lanmanworkstation", _String2="STC_RAW_AGENT") returned -7 [0287.672] _wcsicmp (_String1="server", _String2="STC_RAW_AGENT") returned -15 [0287.672] _wcsicmp (_String1="svr", _String2="STC_RAW_AGENT") returned 2 [0287.672] _wcsicmp (_String1="srv", _String2="STC_RAW_AGENT") returned -2 [0287.672] _wcsicmp (_String1="lanmanserver", _String2="STC_RAW_AGENT") returned -7 [0287.672] _wcsicmp (_String1="alerter", _String2="STC_RAW_AGENT") returned -18 [0287.672] _wcsicmp (_String1="netlogon", _String2="STC_RAW_AGENT") returned -5 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="WORKSTATION") returned -4 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="LanmanWorkstation") returned 7 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="SERVER") returned 15 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="LanmanServer") returned 7 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="BROWSER") returned 17 [0287.672] _wcsicmp (_String1="STC_RAW_AGENT", _String2="BROWSER") returned 17 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="MESSENGER") returned 6 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="MESSENGER") returned 6 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETRUN") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETRUN") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="SPOOLER") returned 4 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="SPOOLER") returned 4 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="ALERTER") returned 18 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="ALERTER") returned 18 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETLOGON") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETLOGON") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETPOPUP") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="NETPOPUP") returned 5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="SQLSERVER") returned 3 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="SQLSERVER") returned 3 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="REPLICATOR") returned 1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="REPLICATOR") returned 1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="REMOTEBOOT") returned 1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="REMOTEBOOT") returned 1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="TIMESOURCE") returned -1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="TIMESOURCE") returned -1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="AFP") returned 18 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="AFP") returned 18 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="UPS") returned -2 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="UPS") returned -2 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="XACTSRV") returned -5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="XACTSRV") returned -5 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="TCPIP") returned -1 [0287.673] _wcsicmp (_String1="STC_RAW_AGENT", _String2="TCPIP") returned -1 [0287.673] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2da0840 [0287.674] OpenServiceW (hSCManager=0x2da0840, lpServiceName="STC_RAW_AGENT", dwDesiredAccess=0x84) returned 0x0 [0287.674] GetLastError () returned 0x424 [0287.674] CloseServiceHandle (hSCObject=0x2da0840) returned 1 [0287.674] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0287.674] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x27d0002 [0287.675] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x27d0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0287.675] GetFileType (hFile=0x94) returned 0x2 [0287.675] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x279f73c | out: lpMode=0x279f73c) returned 1 [0287.676] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x279f748, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x279f748*=0x1e) returned 1 [0287.676] GetFileType (hFile=0x94) returned 0x2 [0287.676] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x279f73c | out: lpMode=0x279f73c) returned 1 [0287.677] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x279f748, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x279f748*=0x2) returned 1 [0287.677] _ultow (in: _Dest=0x889, _Radix=41547664 | out: _Dest=0x889) returned="2185" [0287.677] FormatMessageW (in: dwFlags=0x2800, lpSource=0x27d0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0287.677] GetFileType (hFile=0x94) returned 0x2 [0287.677] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x279f760 | out: lpMode=0x279f760) returned 1 [0287.677] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x279f76c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x279f76c*=0x34) returned 1 [0287.678] GetFileType (hFile=0x94) returned 0x2 [0287.678] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x279f760 | out: lpMode=0x279f760) returned 1 [0287.678] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x279f76c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x279f76c*=0x2) returned 1 [0287.678] NetApiBufferFree (Buffer=0x2d98640) returned 0x0 [0287.678] NetApiBufferFree (Buffer=0x2d984a8) returned 0x0 [0287.678] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop stc_raw_agent /y" [0287.678] exit (_Code=2) Thread: id = 143 os_tid = 0xee8 Process: id = "58" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x16ded000" os_pid = "0x1210" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop VSNAPVSS /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 144 os_tid = 0x1294 Thread: id = 148 os_tid = 0xec0 Process: id = "59" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7bad2000" os_pid = "0x1298" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0x1210" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 145 os_tid = 0x1234 Thread: id = 146 os_tid = 0x1198 Thread: id = 147 os_tid = 0x1194 Process: id = "60" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5b16000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0x1210" cmd_line = "C:\\WINDOWS\\system32\\net1 stop VSNAPVSS /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 149 os_tid = 0x738 [0288.126] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0288.126] __set_app_type (_Type=0x1) [0288.126] __p__fmode () returned 0x776f3c14 [0288.126] __p__commode () returned 0x776f49ec [0288.126] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0288.126] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0288.126] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0288.126] GetConsoleOutputCP () returned 0x1b5 [0288.127] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0288.127] SetThreadUILanguage (LangId=0x0) returned 0x2e80409 [0288.129] sprintf_s (in: _DstBuf=0x2defcec, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0288.130] setlocale (category=0, locale=".437") returned="English_United States.437" [0288.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0288.131] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0288.131] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VSNAPVSS /y" [0288.131] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2defa94, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0288.131] RtlAllocateHeap (HeapHandle=0x32d0000, Flags=0x0, Size=0x64) returned 0x32d4398 [0288.131] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0288.132] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2defa90 | out: Buffer=0x2defa90*=0x32d84a0) returned 0x0 [0288.132] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2defa8c | out: Buffer=0x2defa8c*=0x32d8518) returned 0x0 [0288.132] __iob_func () returned 0x776f2608 [0288.132] _fileno (_File=0x776f2608) returned 0 [0288.132] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0288.132] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0288.132] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0288.132] _wcsicmp (_String1="config", _String2="stop") returned -16 [0288.132] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0288.132] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0288.132] _wcsicmp (_String1="file", _String2="stop") returned -13 [0288.132] _wcsicmp (_String1="files", _String2="stop") returned -13 [0288.132] _wcsicmp (_String1="group", _String2="stop") returned -12 [0288.132] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0288.132] _wcsicmp (_String1="help", _String2="stop") returned -11 [0288.132] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0288.132] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0288.132] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0288.132] _wcsicmp (_String1="session", _String2="stop") returned -15 [0288.132] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0288.132] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0288.132] _wcsicmp (_String1="share", _String2="stop") returned -12 [0288.132] _wcsicmp (_String1="start", _String2="stop") returned -14 [0288.132] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0288.132] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0288.132] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0288.132] _wcsicmp (_String1="accounts", _String2="VSNAPVSS") returned -21 [0288.132] _wcsicmp (_String1="computer", _String2="VSNAPVSS") returned -19 [0288.132] _wcsicmp (_String1="config", _String2="VSNAPVSS") returned -19 [0288.132] _wcsicmp (_String1="continue", _String2="VSNAPVSS") returned -19 [0288.133] _wcsicmp (_String1="cont", _String2="VSNAPVSS") returned -19 [0288.133] _wcsicmp (_String1="file", _String2="VSNAPVSS") returned -16 [0288.133] _wcsicmp (_String1="files", _String2="VSNAPVSS") returned -16 [0288.133] _wcsicmp (_String1="group", _String2="VSNAPVSS") returned -15 [0288.133] _wcsicmp (_String1="groups", _String2="VSNAPVSS") returned -15 [0288.133] _wcsicmp (_String1="help", _String2="VSNAPVSS") returned -14 [0288.133] _wcsicmp (_String1="helpmsg", _String2="VSNAPVSS") returned -14 [0288.133] _wcsicmp (_String1="localgroup", _String2="VSNAPVSS") returned -10 [0288.133] _wcsicmp (_String1="pause", _String2="VSNAPVSS") returned -6 [0288.133] _wcsicmp (_String1="session", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="sessions", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="sess", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="share", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="start", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="stats", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="statistics", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="stop", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="time", _String2="VSNAPVSS") returned -2 [0288.133] _wcsicmp (_String1="user", _String2="VSNAPVSS") returned -1 [0288.133] _wcsicmp (_String1="users", _String2="VSNAPVSS") returned -1 [0288.133] _wcsicmp (_String1="msg", _String2="VSNAPVSS") returned -9 [0288.133] _wcsicmp (_String1="messenger", _String2="VSNAPVSS") returned -9 [0288.133] _wcsicmp (_String1="receiver", _String2="VSNAPVSS") returned -4 [0288.133] _wcsicmp (_String1="rcv", _String2="VSNAPVSS") returned -4 [0288.133] _wcsicmp (_String1="netpopup", _String2="VSNAPVSS") returned -8 [0288.133] _wcsicmp (_String1="redirector", _String2="VSNAPVSS") returned -4 [0288.133] _wcsicmp (_String1="redir", _String2="VSNAPVSS") returned -4 [0288.133] _wcsicmp (_String1="rdr", _String2="VSNAPVSS") returned -4 [0288.133] _wcsicmp (_String1="workstation", _String2="VSNAPVSS") returned 1 [0288.133] _wcsicmp (_String1="work", _String2="VSNAPVSS") returned 1 [0288.133] _wcsicmp (_String1="wksta", _String2="VSNAPVSS") returned 1 [0288.133] _wcsicmp (_String1="prdr", _String2="VSNAPVSS") returned -6 [0288.133] _wcsicmp (_String1="devrdr", _String2="VSNAPVSS") returned -18 [0288.133] _wcsicmp (_String1="lanmanworkstation", _String2="VSNAPVSS") returned -10 [0288.133] _wcsicmp (_String1="server", _String2="VSNAPVSS") returned -3 [0288.133] _wcsicmp (_String1="svr", _String2="VSNAPVSS") returned -3 [0288.134] _wcsicmp (_String1="srv", _String2="VSNAPVSS") returned -3 [0288.134] _wcsicmp (_String1="lanmanserver", _String2="VSNAPVSS") returned -10 [0288.134] _wcsicmp (_String1="alerter", _String2="VSNAPVSS") returned -21 [0288.134] _wcsicmp (_String1="netlogon", _String2="VSNAPVSS") returned -8 [0288.134] _wcsupr (in: _String="VSNAPVSS" | out: _String="VSNAPVSS") returned="VSNAPVSS" [0288.134] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32e0ac0 [0288.186] GetServiceKeyNameW (in: hSCManager=0x32e0ac0, lpDisplayName="VSNAPVSS", lpServiceName=0x1c8c28, lpcchBuffer=0x2defa04 | out: lpServiceName="", lpcchBuffer=0x2defa04) returned 0 [0288.187] _wcsicmp (_String1="msg", _String2="VSNAPVSS") returned -9 [0288.187] _wcsicmp (_String1="messenger", _String2="VSNAPVSS") returned -9 [0288.187] _wcsicmp (_String1="receiver", _String2="VSNAPVSS") returned -4 [0288.187] _wcsicmp (_String1="rcv", _String2="VSNAPVSS") returned -4 [0288.187] _wcsicmp (_String1="redirector", _String2="VSNAPVSS") returned -4 [0288.187] _wcsicmp (_String1="redir", _String2="VSNAPVSS") returned -4 [0288.187] _wcsicmp (_String1="rdr", _String2="VSNAPVSS") returned -4 [0288.187] _wcsicmp (_String1="workstation", _String2="VSNAPVSS") returned 1 [0288.187] _wcsicmp (_String1="work", _String2="VSNAPVSS") returned 1 [0288.187] _wcsicmp (_String1="wksta", _String2="VSNAPVSS") returned 1 [0288.187] _wcsicmp (_String1="prdr", _String2="VSNAPVSS") returned -6 [0288.187] _wcsicmp (_String1="devrdr", _String2="VSNAPVSS") returned -18 [0288.187] _wcsicmp (_String1="lanmanworkstation", _String2="VSNAPVSS") returned -10 [0288.187] _wcsicmp (_String1="server", _String2="VSNAPVSS") returned -3 [0288.187] _wcsicmp (_String1="svr", _String2="VSNAPVSS") returned -3 [0288.187] _wcsicmp (_String1="srv", _String2="VSNAPVSS") returned -3 [0288.187] _wcsicmp (_String1="lanmanserver", _String2="VSNAPVSS") returned -10 [0288.187] _wcsicmp (_String1="alerter", _String2="VSNAPVSS") returned -21 [0288.187] _wcsicmp (_String1="netlogon", _String2="VSNAPVSS") returned -8 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="WORKSTATION") returned -1 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="LanmanWorkstation") returned 10 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="SERVER") returned 3 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="LanmanServer") returned 10 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="BROWSER") returned 20 [0288.187] _wcsicmp (_String1="VSNAPVSS", _String2="BROWSER") returned 20 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="MESSENGER") returned 9 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="MESSENGER") returned 9 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETRUN") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETRUN") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="SPOOLER") returned 3 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="SPOOLER") returned 3 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="ALERTER") returned 21 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="ALERTER") returned 21 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETLOGON") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETLOGON") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETPOPUP") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="NETPOPUP") returned 8 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="SQLSERVER") returned 3 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="SQLSERVER") returned 3 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="REPLICATOR") returned 4 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="REPLICATOR") returned 4 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="REMOTEBOOT") returned 4 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="REMOTEBOOT") returned 4 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="TIMESOURCE") returned 2 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="TIMESOURCE") returned 2 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="AFP") returned 21 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="AFP") returned 21 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="UPS") returned 1 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="UPS") returned 1 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="XACTSRV") returned -2 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="XACTSRV") returned -2 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="TCPIP") returned 2 [0288.188] _wcsicmp (_String1="VSNAPVSS", _String2="TCPIP") returned 2 [0288.188] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x32e0930 [0288.189] OpenServiceW (hSCManager=0x32e0930, lpServiceName="VSNAPVSS", dwDesiredAccess=0x84) returned 0x0 [0288.189] GetLastError () returned 0x424 [0288.189] CloseServiceHandle (hSCObject=0x32e0930) returned 1 [0288.189] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0288.189] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x31c0002 [0288.190] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x31c0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0288.191] GetFileType (hFile=0x94) returned 0x2 [0288.191] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2def894 | out: lpMode=0x2def894) returned 1 [0288.191] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2def8a0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2def8a0*=0x1e) returned 1 [0288.192] GetFileType (hFile=0x94) returned 0x2 [0288.192] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2def894 | out: lpMode=0x2def894) returned 1 [0288.192] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2def8a0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2def8a0*=0x2) returned 1 [0288.192] _ultow (in: _Dest=0x889, _Radix=48167144 | out: _Dest=0x889) returned="2185" [0288.192] FormatMessageW (in: dwFlags=0x2800, lpSource=0x31c0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0288.193] GetFileType (hFile=0x94) returned 0x2 [0288.193] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2def8b8 | out: lpMode=0x2def8b8) returned 1 [0288.193] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2def8c4, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2def8c4*=0x34) returned 1 [0288.193] GetFileType (hFile=0x94) returned 0x2 [0288.193] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2def8b8 | out: lpMode=0x2def8b8) returned 1 [0288.194] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2def8c4, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2def8c4*=0x2) returned 1 [0288.194] NetApiBufferFree (Buffer=0x32d84a0) returned 0x0 [0288.194] NetApiBufferFree (Buffer=0x32d8518) returned 0x0 [0288.194] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VSNAPVSS /y" [0288.194] exit (_Code=2) Thread: id = 150 os_tid = 0xcb8 Process: id = "61" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x70a72000" os_pid = "0x129c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 151 os_tid = 0x1124 Thread: id = 155 os_tid = 0x71c Process: id = "62" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3a054000" os_pid = "0xfc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0x129c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 152 os_tid = 0x1108 Thread: id = 153 os_tid = 0xfc8 Thread: id = 154 os_tid = 0x111c Process: id = "63" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x150d3000" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0x129c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 156 os_tid = 0xa74 [0288.634] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0288.634] __set_app_type (_Type=0x1) [0288.634] __p__fmode () returned 0x776f3c14 [0288.634] __p__commode () returned 0x776f49ec [0288.634] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0288.635] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0288.635] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0288.635] GetConsoleOutputCP () returned 0x1b5 [0288.635] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0288.635] SetThreadUILanguage (LangId=0x0) returned 0x26b0409 [0288.638] sprintf_s (in: _DstBuf=0x287f9ec, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0288.638] setlocale (category=0, locale=".437") returned="English_United States.437" [0288.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0288.640] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0288.640] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamTransportSvc /y" [0288.640] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x287f794, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0288.640] RtlAllocateHeap (HeapHandle=0x2b90000, Flags=0x0, Size=0x76) returned 0x2b97ab8 [0288.640] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0288.640] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x287f790 | out: Buffer=0x287f790*=0x2b97de0) returned 0x0 [0288.640] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x287f78c | out: Buffer=0x287f78c*=0x2b97e28) returned 0x0 [0288.640] __iob_func () returned 0x776f2608 [0288.640] _fileno (_File=0x776f2608) returned 0 [0288.640] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0288.640] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0288.641] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0288.641] _wcsicmp (_String1="config", _String2="stop") returned -16 [0288.641] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0288.641] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0288.641] _wcsicmp (_String1="file", _String2="stop") returned -13 [0288.641] _wcsicmp (_String1="files", _String2="stop") returned -13 [0288.641] _wcsicmp (_String1="group", _String2="stop") returned -12 [0288.641] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0288.641] _wcsicmp (_String1="help", _String2="stop") returned -11 [0288.641] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0288.641] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0288.641] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0288.641] _wcsicmp (_String1="session", _String2="stop") returned -15 [0288.641] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0288.641] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0288.641] _wcsicmp (_String1="share", _String2="stop") returned -12 [0288.641] _wcsicmp (_String1="start", _String2="stop") returned -14 [0288.641] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0288.641] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0288.641] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0288.641] _wcsicmp (_String1="accounts", _String2="VeeamTransportSvc") returned -21 [0288.641] _wcsicmp (_String1="computer", _String2="VeeamTransportSvc") returned -19 [0288.641] _wcsicmp (_String1="config", _String2="VeeamTransportSvc") returned -19 [0288.641] _wcsicmp (_String1="continue", _String2="VeeamTransportSvc") returned -19 [0288.641] _wcsicmp (_String1="cont", _String2="VeeamTransportSvc") returned -19 [0288.641] _wcsicmp (_String1="file", _String2="VeeamTransportSvc") returned -16 [0288.641] _wcsicmp (_String1="files", _String2="VeeamTransportSvc") returned -16 [0288.641] _wcsicmp (_String1="group", _String2="VeeamTransportSvc") returned -15 [0288.641] _wcsicmp (_String1="groups", _String2="VeeamTransportSvc") returned -15 [0288.641] _wcsicmp (_String1="help", _String2="VeeamTransportSvc") returned -14 [0288.641] _wcsicmp (_String1="helpmsg", _String2="VeeamTransportSvc") returned -14 [0288.641] _wcsicmp (_String1="localgroup", _String2="VeeamTransportSvc") returned -10 [0288.641] _wcsicmp (_String1="pause", _String2="VeeamTransportSvc") returned -6 [0288.641] _wcsicmp (_String1="session", _String2="VeeamTransportSvc") returned -3 [0288.641] _wcsicmp (_String1="sessions", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="sess", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="share", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="start", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="stats", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="statistics", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="stop", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="time", _String2="VeeamTransportSvc") returned -2 [0288.642] _wcsicmp (_String1="user", _String2="VeeamTransportSvc") returned -1 [0288.642] _wcsicmp (_String1="users", _String2="VeeamTransportSvc") returned -1 [0288.642] _wcsicmp (_String1="msg", _String2="VeeamTransportSvc") returned -9 [0288.642] _wcsicmp (_String1="messenger", _String2="VeeamTransportSvc") returned -9 [0288.642] _wcsicmp (_String1="receiver", _String2="VeeamTransportSvc") returned -4 [0288.642] _wcsicmp (_String1="rcv", _String2="VeeamTransportSvc") returned -4 [0288.642] _wcsicmp (_String1="netpopup", _String2="VeeamTransportSvc") returned -8 [0288.642] _wcsicmp (_String1="redirector", _String2="VeeamTransportSvc") returned -4 [0288.642] _wcsicmp (_String1="redir", _String2="VeeamTransportSvc") returned -4 [0288.642] _wcsicmp (_String1="rdr", _String2="VeeamTransportSvc") returned -4 [0288.642] _wcsicmp (_String1="workstation", _String2="VeeamTransportSvc") returned 1 [0288.642] _wcsicmp (_String1="work", _String2="VeeamTransportSvc") returned 1 [0288.642] _wcsicmp (_String1="wksta", _String2="VeeamTransportSvc") returned 1 [0288.642] _wcsicmp (_String1="prdr", _String2="VeeamTransportSvc") returned -6 [0288.642] _wcsicmp (_String1="devrdr", _String2="VeeamTransportSvc") returned -18 [0288.642] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamTransportSvc") returned -10 [0288.642] _wcsicmp (_String1="server", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="svr", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="srv", _String2="VeeamTransportSvc") returned -3 [0288.642] _wcsicmp (_String1="lanmanserver", _String2="VeeamTransportSvc") returned -10 [0288.642] _wcsicmp (_String1="alerter", _String2="VeeamTransportSvc") returned -21 [0288.642] _wcsicmp (_String1="netlogon", _String2="VeeamTransportSvc") returned -8 [0288.642] _wcsupr (in: _String="VeeamTransportSvc" | out: _String="VEEAMTRANSPORTSVC") returned="VEEAMTRANSPORTSVC" [0288.642] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ba0b00 [0288.645] GetServiceKeyNameW (in: hSCManager=0x2ba0b00, lpDisplayName="VEEAMTRANSPORTSVC", lpServiceName=0x1c8c28, lpcchBuffer=0x287f704 | out: lpServiceName="", lpcchBuffer=0x287f704) returned 0 [0288.646] _wcsicmp (_String1="msg", _String2="VEEAMTRANSPORTSVC") returned -9 [0288.646] _wcsicmp (_String1="messenger", _String2="VEEAMTRANSPORTSVC") returned -9 [0288.646] _wcsicmp (_String1="receiver", _String2="VEEAMTRANSPORTSVC") returned -4 [0288.646] _wcsicmp (_String1="rcv", _String2="VEEAMTRANSPORTSVC") returned -4 [0288.646] _wcsicmp (_String1="redirector", _String2="VEEAMTRANSPORTSVC") returned -4 [0288.646] _wcsicmp (_String1="redir", _String2="VEEAMTRANSPORTSVC") returned -4 [0288.646] _wcsicmp (_String1="rdr", _String2="VEEAMTRANSPORTSVC") returned -4 [0288.646] _wcsicmp (_String1="workstation", _String2="VEEAMTRANSPORTSVC") returned 1 [0288.646] _wcsicmp (_String1="work", _String2="VEEAMTRANSPORTSVC") returned 1 [0288.646] _wcsicmp (_String1="wksta", _String2="VEEAMTRANSPORTSVC") returned 1 [0288.646] _wcsicmp (_String1="prdr", _String2="VEEAMTRANSPORTSVC") returned -6 [0288.646] _wcsicmp (_String1="devrdr", _String2="VEEAMTRANSPORTSVC") returned -18 [0288.647] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMTRANSPORTSVC") returned -10 [0288.647] _wcsicmp (_String1="server", _String2="VEEAMTRANSPORTSVC") returned -3 [0288.647] _wcsicmp (_String1="svr", _String2="VEEAMTRANSPORTSVC") returned -3 [0288.647] _wcsicmp (_String1="srv", _String2="VEEAMTRANSPORTSVC") returned -3 [0288.647] _wcsicmp (_String1="lanmanserver", _String2="VEEAMTRANSPORTSVC") returned -10 [0288.647] _wcsicmp (_String1="alerter", _String2="VEEAMTRANSPORTSVC") returned -21 [0288.647] _wcsicmp (_String1="netlogon", _String2="VEEAMTRANSPORTSVC") returned -8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="WORKSTATION") returned -1 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="LanmanWorkstation") returned 10 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="SERVER") returned 3 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="LanmanServer") returned 10 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="BROWSER") returned 20 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="BROWSER") returned 20 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="MESSENGER") returned 9 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="MESSENGER") returned 9 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETRUN") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETRUN") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="SPOOLER") returned 3 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="SPOOLER") returned 3 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="ALERTER") returned 21 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="ALERTER") returned 21 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETLOGON") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETLOGON") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETPOPUP") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="NETPOPUP") returned 8 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="SQLSERVER") returned 3 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="SQLSERVER") returned 3 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="REPLICATOR") returned 4 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="REPLICATOR") returned 4 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="REMOTEBOOT") returned 4 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="REMOTEBOOT") returned 4 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="TIMESOURCE") returned 2 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="TIMESOURCE") returned 2 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="AFP") returned 21 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="AFP") returned 21 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="UPS") returned 1 [0288.647] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="UPS") returned 1 [0288.648] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="XACTSRV") returned -2 [0288.648] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="XACTSRV") returned -2 [0288.648] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="TCPIP") returned 2 [0288.648] _wcsicmp (_String1="VEEAMTRANSPORTSVC", _String2="TCPIP") returned 2 [0288.648] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2ba0768 [0288.648] OpenServiceW (hSCManager=0x2ba0768, lpServiceName="VEEAMTRANSPORTSVC", dwDesiredAccess=0x84) returned 0x0 [0288.648] GetLastError () returned 0x424 [0288.648] CloseServiceHandle (hSCObject=0x2ba0768) returned 1 [0288.649] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0288.649] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x25e0002 [0288.649] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x25e0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0288.650] GetFileType (hFile=0x94) returned 0x2 [0288.650] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x287f594 | out: lpMode=0x287f594) returned 1 [0288.650] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x287f5a0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x287f5a0*=0x1e) returned 1 [0288.651] GetFileType (hFile=0x94) returned 0x2 [0288.651] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x287f594 | out: lpMode=0x287f594) returned 1 [0288.651] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x287f5a0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x287f5a0*=0x2) returned 1 [0288.651] _ultow (in: _Dest=0x889, _Radix=42464744 | out: _Dest=0x889) returned="2185" [0288.651] FormatMessageW (in: dwFlags=0x2800, lpSource=0x25e0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0288.652] GetFileType (hFile=0x94) returned 0x2 [0288.652] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x287f5b8 | out: lpMode=0x287f5b8) returned 1 [0288.652] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x287f5c4, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x287f5c4*=0x34) returned 1 [0288.652] GetFileType (hFile=0x94) returned 0x2 [0288.652] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x287f5b8 | out: lpMode=0x287f5b8) returned 1 [0288.653] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x287f5c4, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x287f5c4*=0x2) returned 1 [0288.653] NetApiBufferFree (Buffer=0x2b97de0) returned 0x0 [0288.653] NetApiBufferFree (Buffer=0x2b97e28) returned 0x0 [0288.653] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamTransportSvc /y" [0288.653] exit (_Code=2) Thread: id = 157 os_tid = 0xdbc Process: id = "64" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x38275000" os_pid = "0xc18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 158 os_tid = 0xbf8 Thread: id = 162 os_tid = 0x994 Process: id = "65" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6f9cc000" os_pid = "0xd90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "64" os_parent_pid = "0xc18" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 159 os_tid = 0x794 Thread: id = 160 os_tid = 0xf6c Thread: id = 161 os_tid = 0x1394 Process: id = "66" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x14b4a000" os_pid = "0x480" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "64" os_parent_pid = "0xc18" cmd_line = "C:\\WINDOWS\\system32\\net1 stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 163 os_tid = 0xed8 [0289.496] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0289.496] __set_app_type (_Type=0x1) [0289.496] __p__fmode () returned 0x776f3c14 [0289.496] __p__commode () returned 0x776f49ec [0289.496] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0289.496] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0289.496] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0289.496] GetConsoleOutputCP () returned 0x1b5 [0289.497] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0289.497] SetThreadUILanguage (LangId=0x0) returned 0x2bb0409 [0289.500] sprintf_s (in: _DstBuf=0x2cbf850, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0289.500] setlocale (category=0, locale=".437") returned="English_United States.437" [0289.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0289.502] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0289.502] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamDeploymentService /y" [0289.502] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cbf5f8, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0289.502] RtlAllocateHeap (HeapHandle=0x3010000, Flags=0x0, Size=0x80) returned 0x30182d8 [0289.502] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0289.502] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cbf5f4 | out: Buffer=0x2cbf5f4*=0x3017cf8) returned 0x0 [0289.502] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cbf5f0 | out: Buffer=0x2cbf5f0*=0x3017d10) returned 0x0 [0289.502] __iob_func () returned 0x776f2608 [0289.502] _fileno (_File=0x776f2608) returned 0 [0289.502] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0289.502] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0289.502] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0289.502] _wcsicmp (_String1="config", _String2="stop") returned -16 [0289.502] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0289.502] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0289.502] _wcsicmp (_String1="file", _String2="stop") returned -13 [0289.502] _wcsicmp (_String1="files", _String2="stop") returned -13 [0289.502] _wcsicmp (_String1="group", _String2="stop") returned -12 [0289.503] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0289.503] _wcsicmp (_String1="help", _String2="stop") returned -11 [0289.503] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0289.503] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0289.503] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0289.503] _wcsicmp (_String1="session", _String2="stop") returned -15 [0289.503] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0289.503] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0289.503] _wcsicmp (_String1="share", _String2="stop") returned -12 [0289.503] _wcsicmp (_String1="start", _String2="stop") returned -14 [0289.503] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0289.503] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0289.503] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0289.503] _wcsicmp (_String1="accounts", _String2="VeeamDeploymentService") returned -21 [0289.503] _wcsicmp (_String1="computer", _String2="VeeamDeploymentService") returned -19 [0289.503] _wcsicmp (_String1="config", _String2="VeeamDeploymentService") returned -19 [0289.503] _wcsicmp (_String1="continue", _String2="VeeamDeploymentService") returned -19 [0289.503] _wcsicmp (_String1="cont", _String2="VeeamDeploymentService") returned -19 [0289.503] _wcsicmp (_String1="file", _String2="VeeamDeploymentService") returned -16 [0289.503] _wcsicmp (_String1="files", _String2="VeeamDeploymentService") returned -16 [0289.503] _wcsicmp (_String1="group", _String2="VeeamDeploymentService") returned -15 [0289.503] _wcsicmp (_String1="groups", _String2="VeeamDeploymentService") returned -15 [0289.503] _wcsicmp (_String1="help", _String2="VeeamDeploymentService") returned -14 [0289.503] _wcsicmp (_String1="helpmsg", _String2="VeeamDeploymentService") returned -14 [0289.503] _wcsicmp (_String1="localgroup", _String2="VeeamDeploymentService") returned -10 [0289.503] _wcsicmp (_String1="pause", _String2="VeeamDeploymentService") returned -6 [0289.503] _wcsicmp (_String1="session", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="sessions", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="sess", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="share", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="start", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="stats", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="statistics", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="stop", _String2="VeeamDeploymentService") returned -3 [0289.503] _wcsicmp (_String1="time", _String2="VeeamDeploymentService") returned -2 [0289.503] _wcsicmp (_String1="user", _String2="VeeamDeploymentService") returned -1 [0289.504] _wcsicmp (_String1="users", _String2="VeeamDeploymentService") returned -1 [0289.504] _wcsicmp (_String1="msg", _String2="VeeamDeploymentService") returned -9 [0289.504] _wcsicmp (_String1="messenger", _String2="VeeamDeploymentService") returned -9 [0289.504] _wcsicmp (_String1="receiver", _String2="VeeamDeploymentService") returned -4 [0289.504] _wcsicmp (_String1="rcv", _String2="VeeamDeploymentService") returned -4 [0289.504] _wcsicmp (_String1="netpopup", _String2="VeeamDeploymentService") returned -8 [0289.504] _wcsicmp (_String1="redirector", _String2="VeeamDeploymentService") returned -4 [0289.504] _wcsicmp (_String1="redir", _String2="VeeamDeploymentService") returned -4 [0289.504] _wcsicmp (_String1="rdr", _String2="VeeamDeploymentService") returned -4 [0289.504] _wcsicmp (_String1="workstation", _String2="VeeamDeploymentService") returned 1 [0289.504] _wcsicmp (_String1="work", _String2="VeeamDeploymentService") returned 1 [0289.504] _wcsicmp (_String1="wksta", _String2="VeeamDeploymentService") returned 1 [0289.504] _wcsicmp (_String1="prdr", _String2="VeeamDeploymentService") returned -6 [0289.504] _wcsicmp (_String1="devrdr", _String2="VeeamDeploymentService") returned -18 [0289.504] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamDeploymentService") returned -10 [0289.504] _wcsicmp (_String1="server", _String2="VeeamDeploymentService") returned -3 [0289.504] _wcsicmp (_String1="svr", _String2="VeeamDeploymentService") returned -3 [0289.504] _wcsicmp (_String1="srv", _String2="VeeamDeploymentService") returned -3 [0289.504] _wcsicmp (_String1="lanmanserver", _String2="VeeamDeploymentService") returned -10 [0289.504] _wcsicmp (_String1="alerter", _String2="VeeamDeploymentService") returned -21 [0289.504] _wcsicmp (_String1="netlogon", _String2="VeeamDeploymentService") returned -8 [0289.504] _wcsupr (in: _String="VeeamDeploymentService" | out: _String="VEEAMDEPLOYMENTSERVICE") returned="VEEAMDEPLOYMENTSERVICE" [0289.504] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x30207d0 [0289.507] GetServiceKeyNameW (in: hSCManager=0x30207d0, lpDisplayName="VEEAMDEPLOYMENTSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2cbf564 | out: lpServiceName="", lpcchBuffer=0x2cbf564) returned 0 [0289.508] _wcsicmp (_String1="msg", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0289.508] _wcsicmp (_String1="messenger", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0289.508] _wcsicmp (_String1="receiver", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0289.508] _wcsicmp (_String1="rcv", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0289.508] _wcsicmp (_String1="redirector", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0289.508] _wcsicmp (_String1="redir", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0289.508] _wcsicmp (_String1="rdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0289.508] _wcsicmp (_String1="workstation", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0289.508] _wcsicmp (_String1="work", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0289.508] _wcsicmp (_String1="wksta", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0289.508] _wcsicmp (_String1="prdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -6 [0289.508] _wcsicmp (_String1="devrdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -18 [0289.508] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0289.508] _wcsicmp (_String1="server", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0289.508] _wcsicmp (_String1="svr", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0289.508] _wcsicmp (_String1="srv", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0289.508] _wcsicmp (_String1="lanmanserver", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0289.509] _wcsicmp (_String1="alerter", _String2="VEEAMDEPLOYMENTSERVICE") returned -21 [0289.509] _wcsicmp (_String1="netlogon", _String2="VEEAMDEPLOYMENTSERVICE") returned -8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="WORKSTATION") returned -1 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="LanmanWorkstation") returned 10 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="SERVER") returned 3 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="LanmanServer") returned 10 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="BROWSER") returned 20 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="BROWSER") returned 20 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="MESSENGER") returned 9 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="MESSENGER") returned 9 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETRUN") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETRUN") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="SPOOLER") returned 3 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="SPOOLER") returned 3 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="ALERTER") returned 21 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="ALERTER") returned 21 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETLOGON") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETLOGON") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETPOPUP") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="NETPOPUP") returned 8 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="SQLSERVER") returned 3 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="SQLSERVER") returned 3 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="REPLICATOR") returned 4 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="REPLICATOR") returned 4 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="REMOTEBOOT") returned 4 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="REMOTEBOOT") returned 4 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="TIMESOURCE") returned 2 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="TIMESOURCE") returned 2 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="AFP") returned 21 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="AFP") returned 21 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="UPS") returned 1 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="UPS") returned 1 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="XACTSRV") returned -2 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="XACTSRV") returned -2 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="TCPIP") returned 2 [0289.509] _wcsicmp (_String1="VEEAMDEPLOYMENTSERVICE", _String2="TCPIP") returned 2 [0289.509] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3020a28 [0289.510] OpenServiceW (hSCManager=0x3020a28, lpServiceName="VEEAMDEPLOYMENTSERVICE", dwDesiredAccess=0x84) returned 0x0 [0289.510] GetLastError () returned 0x424 [0289.510] CloseServiceHandle (hSCObject=0x3020a28) returned 1 [0289.510] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0289.510] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2e80002 [0289.511] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2e80002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0289.512] GetFileType (hFile=0x94) returned 0x2 [0289.512] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf3f4 | out: lpMode=0x2cbf3f4) returned 1 [0289.512] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2cbf400, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cbf400*=0x1e) returned 1 [0289.513] GetFileType (hFile=0x94) returned 0x2 [0289.513] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf3f4 | out: lpMode=0x2cbf3f4) returned 1 [0289.513] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cbf400, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cbf400*=0x2) returned 1 [0289.514] _ultow (in: _Dest=0x889, _Radix=46920776 | out: _Dest=0x889) returned="2185" [0289.514] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2e80002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0289.514] GetFileType (hFile=0x94) returned 0x2 [0289.514] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf418 | out: lpMode=0x2cbf418) returned 1 [0289.515] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2cbf424, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cbf424*=0x34) returned 1 [0289.515] GetFileType (hFile=0x94) returned 0x2 [0289.515] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf418 | out: lpMode=0x2cbf418) returned 1 [0289.515] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cbf424, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cbf424*=0x2) returned 1 [0289.516] NetApiBufferFree (Buffer=0x3017cf8) returned 0x0 [0289.516] NetApiBufferFree (Buffer=0x3017d10) returned 0x0 [0289.516] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamDeploymentService /y" [0289.516] exit (_Code=2) Thread: id = 164 os_tid = 0xd80 Process: id = "67" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x8dfa000" os_pid = "0xe28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 165 os_tid = 0xe18 Thread: id = 169 os_tid = 0xe30 Process: id = "68" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x76d5000" os_pid = "0x1070" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0xe28" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 166 os_tid = 0xe10 Thread: id = 167 os_tid = 0xe20 Thread: id = 168 os_tid = 0xe2c Process: id = "69" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x79b53000" os_pid = "0xe24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0xe28" cmd_line = "C:\\WINDOWS\\system32\\net1 stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 170 os_tid = 0xe1c [0289.900] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0289.900] __set_app_type (_Type=0x1) [0289.900] __p__fmode () returned 0x776f3c14 [0289.900] __p__commode () returned 0x776f49ec [0289.900] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0289.901] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0289.901] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0289.901] GetConsoleOutputCP () returned 0x1b5 [0289.902] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0289.902] SetThreadUILanguage (LangId=0x0) returned 0x2280409 [0289.905] sprintf_s (in: _DstBuf=0x15fe80, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0289.905] setlocale (category=0, locale=".437") returned="English_United States.437" [0289.906] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0289.906] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0289.906] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamNFSSvc /y" [0289.906] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x15fc28, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0289.906] RtlAllocateHeap (HeapHandle=0x25c0000, Flags=0x0, Size=0x6a) returned 0x25c7878 [0289.907] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0289.907] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fc24 | out: Buffer=0x15fc24*=0x25c85c0) returned 0x0 [0289.907] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fc20 | out: Buffer=0x15fc20*=0x25c8560) returned 0x0 [0289.907] __iob_func () returned 0x776f2608 [0289.907] _fileno (_File=0x776f2608) returned 0 [0289.907] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0289.907] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0289.907] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0289.907] _wcsicmp (_String1="config", _String2="stop") returned -16 [0289.907] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0289.907] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0289.907] _wcsicmp (_String1="file", _String2="stop") returned -13 [0289.907] _wcsicmp (_String1="files", _String2="stop") returned -13 [0289.907] _wcsicmp (_String1="group", _String2="stop") returned -12 [0289.907] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0289.907] _wcsicmp (_String1="help", _String2="stop") returned -11 [0289.907] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0289.907] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0289.907] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0289.907] _wcsicmp (_String1="session", _String2="stop") returned -15 [0289.907] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0289.907] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0289.907] _wcsicmp (_String1="share", _String2="stop") returned -12 [0289.907] _wcsicmp (_String1="start", _String2="stop") returned -14 [0289.907] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0289.907] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0289.907] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0289.907] _wcsicmp (_String1="accounts", _String2="VeeamNFSSvc") returned -21 [0289.907] _wcsicmp (_String1="computer", _String2="VeeamNFSSvc") returned -19 [0289.908] _wcsicmp (_String1="config", _String2="VeeamNFSSvc") returned -19 [0289.908] _wcsicmp (_String1="continue", _String2="VeeamNFSSvc") returned -19 [0289.908] _wcsicmp (_String1="cont", _String2="VeeamNFSSvc") returned -19 [0289.908] _wcsicmp (_String1="file", _String2="VeeamNFSSvc") returned -16 [0289.908] _wcsicmp (_String1="files", _String2="VeeamNFSSvc") returned -16 [0289.908] _wcsicmp (_String1="group", _String2="VeeamNFSSvc") returned -15 [0289.908] _wcsicmp (_String1="groups", _String2="VeeamNFSSvc") returned -15 [0289.908] _wcsicmp (_String1="help", _String2="VeeamNFSSvc") returned -14 [0289.908] _wcsicmp (_String1="helpmsg", _String2="VeeamNFSSvc") returned -14 [0289.908] _wcsicmp (_String1="localgroup", _String2="VeeamNFSSvc") returned -10 [0289.908] _wcsicmp (_String1="pause", _String2="VeeamNFSSvc") returned -6 [0289.908] _wcsicmp (_String1="session", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="sessions", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="sess", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="share", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="start", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="stats", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="statistics", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="stop", _String2="VeeamNFSSvc") returned -3 [0289.908] _wcsicmp (_String1="time", _String2="VeeamNFSSvc") returned -2 [0289.908] _wcsicmp (_String1="user", _String2="VeeamNFSSvc") returned -1 [0289.908] _wcsicmp (_String1="users", _String2="VeeamNFSSvc") returned -1 [0289.908] _wcsicmp (_String1="msg", _String2="VeeamNFSSvc") returned -9 [0289.908] _wcsicmp (_String1="messenger", _String2="VeeamNFSSvc") returned -9 [0289.908] _wcsicmp (_String1="receiver", _String2="VeeamNFSSvc") returned -4 [0289.908] _wcsicmp (_String1="rcv", _String2="VeeamNFSSvc") returned -4 [0289.908] _wcsicmp (_String1="netpopup", _String2="VeeamNFSSvc") returned -8 [0289.908] _wcsicmp (_String1="redirector", _String2="VeeamNFSSvc") returned -4 [0289.908] _wcsicmp (_String1="redir", _String2="VeeamNFSSvc") returned -4 [0289.908] _wcsicmp (_String1="rdr", _String2="VeeamNFSSvc") returned -4 [0289.908] _wcsicmp (_String1="workstation", _String2="VeeamNFSSvc") returned 1 [0289.908] _wcsicmp (_String1="work", _String2="VeeamNFSSvc") returned 1 [0289.908] _wcsicmp (_String1="wksta", _String2="VeeamNFSSvc") returned 1 [0289.908] _wcsicmp (_String1="prdr", _String2="VeeamNFSSvc") returned -6 [0289.908] _wcsicmp (_String1="devrdr", _String2="VeeamNFSSvc") returned -18 [0289.909] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamNFSSvc") returned -10 [0289.909] _wcsicmp (_String1="server", _String2="VeeamNFSSvc") returned -3 [0289.909] _wcsicmp (_String1="svr", _String2="VeeamNFSSvc") returned -3 [0289.909] _wcsicmp (_String1="srv", _String2="VeeamNFSSvc") returned -3 [0289.909] _wcsicmp (_String1="lanmanserver", _String2="VeeamNFSSvc") returned -10 [0289.909] _wcsicmp (_String1="alerter", _String2="VeeamNFSSvc") returned -21 [0289.909] _wcsicmp (_String1="netlogon", _String2="VeeamNFSSvc") returned -8 [0289.909] _wcsupr (in: _String="VeeamNFSSvc" | out: _String="VEEAMNFSSVC") returned="VEEAMNFSSVC" [0289.909] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x25d08b8 [0289.912] GetServiceKeyNameW (in: hSCManager=0x25d08b8, lpDisplayName="VEEAMNFSSVC", lpServiceName=0x1c8c28, lpcchBuffer=0x15fb94 | out: lpServiceName="", lpcchBuffer=0x15fb94) returned 0 [0289.913] _wcsicmp (_String1="msg", _String2="VEEAMNFSSVC") returned -9 [0289.913] _wcsicmp (_String1="messenger", _String2="VEEAMNFSSVC") returned -9 [0289.913] _wcsicmp (_String1="receiver", _String2="VEEAMNFSSVC") returned -4 [0289.913] _wcsicmp (_String1="rcv", _String2="VEEAMNFSSVC") returned -4 [0289.913] _wcsicmp (_String1="redirector", _String2="VEEAMNFSSVC") returned -4 [0289.913] _wcsicmp (_String1="redir", _String2="VEEAMNFSSVC") returned -4 [0289.913] _wcsicmp (_String1="rdr", _String2="VEEAMNFSSVC") returned -4 [0289.913] _wcsicmp (_String1="workstation", _String2="VEEAMNFSSVC") returned 1 [0289.913] _wcsicmp (_String1="work", _String2="VEEAMNFSSVC") returned 1 [0289.913] _wcsicmp (_String1="wksta", _String2="VEEAMNFSSVC") returned 1 [0289.913] _wcsicmp (_String1="prdr", _String2="VEEAMNFSSVC") returned -6 [0289.913] _wcsicmp (_String1="devrdr", _String2="VEEAMNFSSVC") returned -18 [0289.913] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMNFSSVC") returned -10 [0289.913] _wcsicmp (_String1="server", _String2="VEEAMNFSSVC") returned -3 [0289.913] _wcsicmp (_String1="svr", _String2="VEEAMNFSSVC") returned -3 [0289.913] _wcsicmp (_String1="srv", _String2="VEEAMNFSSVC") returned -3 [0289.913] _wcsicmp (_String1="lanmanserver", _String2="VEEAMNFSSVC") returned -10 [0289.913] _wcsicmp (_String1="alerter", _String2="VEEAMNFSSVC") returned -21 [0289.913] _wcsicmp (_String1="netlogon", _String2="VEEAMNFSSVC") returned -8 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="WORKSTATION") returned -1 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="LanmanWorkstation") returned 10 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="SERVER") returned 3 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="LanmanServer") returned 10 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="BROWSER") returned 20 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="BROWSER") returned 20 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="MESSENGER") returned 9 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="MESSENGER") returned 9 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETRUN") returned 8 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETRUN") returned 8 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="SPOOLER") returned 3 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="SPOOLER") returned 3 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="ALERTER") returned 21 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="ALERTER") returned 21 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETLOGON") returned 8 [0289.913] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETLOGON") returned 8 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETPOPUP") returned 8 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="NETPOPUP") returned 8 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="SQLSERVER") returned 3 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="SQLSERVER") returned 3 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="REPLICATOR") returned 4 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="REPLICATOR") returned 4 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="REMOTEBOOT") returned 4 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="REMOTEBOOT") returned 4 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="TIMESOURCE") returned 2 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="TIMESOURCE") returned 2 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="AFP") returned 21 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="AFP") returned 21 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="UPS") returned 1 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="UPS") returned 1 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="XACTSRV") returned -2 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="XACTSRV") returned -2 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="TCPIP") returned 2 [0289.914] _wcsicmp (_String1="VEEAMNFSSVC", _String2="TCPIP") returned 2 [0289.914] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x25d0868 [0289.914] OpenServiceW (hSCManager=0x25d0868, lpServiceName="VEEAMNFSSVC", dwDesiredAccess=0x84) returned 0x0 [0289.915] GetLastError () returned 0x424 [0289.915] CloseServiceHandle (hSCObject=0x25d0868) returned 1 [0289.915] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0289.915] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x190002 [0289.916] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x190002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0289.916] GetFileType (hFile=0x94) returned 0x2 [0289.916] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x15fa24 | out: lpMode=0x15fa24) returned 1 [0289.917] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x15fa30, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x15fa30*=0x1e) returned 1 [0289.917] GetFileType (hFile=0x94) returned 0x2 [0289.917] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x15fa24 | out: lpMode=0x15fa24) returned 1 [0289.917] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x15fa30, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x15fa30*=0x2) returned 1 [0289.918] _ultow (in: _Dest=0x889, _Radix=1440376 | out: _Dest=0x889) returned="2185" [0289.918] FormatMessageW (in: dwFlags=0x2800, lpSource=0x190002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0289.918] GetFileType (hFile=0x94) returned 0x2 [0289.918] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x15fa48 | out: lpMode=0x15fa48) returned 1 [0289.918] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x15fa54, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x15fa54*=0x34) returned 1 [0289.918] GetFileType (hFile=0x94) returned 0x2 [0289.918] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x15fa48 | out: lpMode=0x15fa48) returned 1 [0289.919] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x15fa54, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x15fa54*=0x2) returned 1 [0289.919] NetApiBufferFree (Buffer=0x25c85c0) returned 0x0 [0289.919] NetApiBufferFree (Buffer=0x25c8560) returned 0x0 [0289.919] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop VeeamNFSSvc /y" [0289.919] exit (_Code=2) Thread: id = 171 os_tid = 0xe0c Process: id = "70" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7a97f000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop veeam /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 172 os_tid = 0x12a0 Thread: id = 176 os_tid = 0x1058 Process: id = "71" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7bade000" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0x900" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 173 os_tid = 0x67c Thread: id = 174 os_tid = 0xd58 Thread: id = 175 os_tid = 0xd5c Process: id = "72" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x71f5b000" os_pid = "0x1054" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0x900" cmd_line = "C:\\WINDOWS\\system32\\net1 stop veeam /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 177 os_tid = 0x10cc [0290.306] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0290.306] __set_app_type (_Type=0x1) [0290.306] __p__fmode () returned 0x776f3c14 [0290.306] __p__commode () returned 0x776f49ec [0290.307] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0290.307] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0290.307] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0290.307] GetConsoleOutputCP () returned 0x1b5 [0290.307] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0290.308] SetThreadUILanguage (LangId=0x0) returned 0x3030409 [0290.311] sprintf_s (in: _DstBuf=0x2f3fb78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0290.311] setlocale (category=0, locale=".437") returned="English_United States.437" [0290.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0290.314] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0290.314] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop veeam /y" [0290.314] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f3f920, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0290.314] RtlAllocateHeap (HeapHandle=0x3460000, Flags=0x0, Size=0x5e) returned 0x3464388 [0290.314] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0290.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f3f91c | out: Buffer=0x2f3f91c*=0x3467e18) returned 0x0 [0290.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f3f918 | out: Buffer=0x2f3f918*=0x3467cf8) returned 0x0 [0290.314] __iob_func () returned 0x776f2608 [0290.315] _fileno (_File=0x776f2608) returned 0 [0290.315] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0290.315] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0290.315] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0290.315] _wcsicmp (_String1="config", _String2="stop") returned -16 [0290.315] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0290.315] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0290.315] _wcsicmp (_String1="file", _String2="stop") returned -13 [0290.315] _wcsicmp (_String1="files", _String2="stop") returned -13 [0290.315] _wcsicmp (_String1="group", _String2="stop") returned -12 [0290.315] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0290.315] _wcsicmp (_String1="help", _String2="stop") returned -11 [0290.315] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0290.315] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0290.315] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0290.315] _wcsicmp (_String1="session", _String2="stop") returned -15 [0290.316] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0290.316] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0290.316] _wcsicmp (_String1="share", _String2="stop") returned -12 [0290.316] _wcsicmp (_String1="start", _String2="stop") returned -14 [0290.316] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0290.316] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0290.316] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0290.316] _wcsicmp (_String1="accounts", _String2="veeam") returned -21 [0290.316] _wcsicmp (_String1="computer", _String2="veeam") returned -19 [0290.316] _wcsicmp (_String1="config", _String2="veeam") returned -19 [0290.316] _wcsicmp (_String1="continue", _String2="veeam") returned -19 [0290.316] _wcsicmp (_String1="cont", _String2="veeam") returned -19 [0290.316] _wcsicmp (_String1="file", _String2="veeam") returned -16 [0290.316] _wcsicmp (_String1="files", _String2="veeam") returned -16 [0290.316] _wcsicmp (_String1="group", _String2="veeam") returned -15 [0290.316] _wcsicmp (_String1="groups", _String2="veeam") returned -15 [0290.316] _wcsicmp (_String1="help", _String2="veeam") returned -14 [0290.316] _wcsicmp (_String1="helpmsg", _String2="veeam") returned -14 [0290.317] _wcsicmp (_String1="localgroup", _String2="veeam") returned -10 [0290.317] _wcsicmp (_String1="pause", _String2="veeam") returned -6 [0290.317] _wcsicmp (_String1="session", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="sessions", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="sess", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="share", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="start", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="stats", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="statistics", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="stop", _String2="veeam") returned -3 [0290.317] _wcsicmp (_String1="time", _String2="veeam") returned -2 [0290.317] _wcsicmp (_String1="user", _String2="veeam") returned -1 [0290.318] _wcsicmp (_String1="users", _String2="veeam") returned -1 [0290.318] _wcsicmp (_String1="msg", _String2="veeam") returned -9 [0290.318] _wcsicmp (_String1="messenger", _String2="veeam") returned -9 [0290.318] _wcsicmp (_String1="receiver", _String2="veeam") returned -4 [0290.318] _wcsicmp (_String1="rcv", _String2="veeam") returned -4 [0290.318] _wcsicmp (_String1="netpopup", _String2="veeam") returned -8 [0290.318] _wcsicmp (_String1="redirector", _String2="veeam") returned -4 [0290.318] _wcsicmp (_String1="redir", _String2="veeam") returned -4 [0290.318] _wcsicmp (_String1="rdr", _String2="veeam") returned -4 [0290.318] _wcsicmp (_String1="workstation", _String2="veeam") returned 1 [0290.318] _wcsicmp (_String1="work", _String2="veeam") returned 1 [0290.318] _wcsicmp (_String1="wksta", _String2="veeam") returned 1 [0290.318] _wcsicmp (_String1="prdr", _String2="veeam") returned -6 [0290.318] _wcsicmp (_String1="devrdr", _String2="veeam") returned -18 [0290.318] _wcsicmp (_String1="lanmanworkstation", _String2="veeam") returned -10 [0290.318] _wcsicmp (_String1="server", _String2="veeam") returned -3 [0290.318] _wcsicmp (_String1="svr", _String2="veeam") returned -3 [0290.318] _wcsicmp (_String1="srv", _String2="veeam") returned -3 [0290.318] _wcsicmp (_String1="lanmanserver", _String2="veeam") returned -10 [0290.319] _wcsicmp (_String1="alerter", _String2="veeam") returned -21 [0290.319] _wcsicmp (_String1="netlogon", _String2="veeam") returned -8 [0290.319] _wcsupr (in: _String="veeam" | out: _String="VEEAM") returned="VEEAM" [0290.319] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3470940 [0290.323] GetServiceKeyNameW (in: hSCManager=0x3470940, lpDisplayName="VEEAM", lpServiceName=0x1c8c28, lpcchBuffer=0x2f3f88c | out: lpServiceName="", lpcchBuffer=0x2f3f88c) returned 0 [0290.324] _wcsicmp (_String1="msg", _String2="VEEAM") returned -9 [0290.324] _wcsicmp (_String1="messenger", _String2="VEEAM") returned -9 [0290.324] _wcsicmp (_String1="receiver", _String2="VEEAM") returned -4 [0290.324] _wcsicmp (_String1="rcv", _String2="VEEAM") returned -4 [0290.324] _wcsicmp (_String1="redirector", _String2="VEEAM") returned -4 [0290.324] _wcsicmp (_String1="redir", _String2="VEEAM") returned -4 [0290.324] _wcsicmp (_String1="rdr", _String2="VEEAM") returned -4 [0290.324] _wcsicmp (_String1="workstation", _String2="VEEAM") returned 1 [0290.325] _wcsicmp (_String1="work", _String2="VEEAM") returned 1 [0290.325] _wcsicmp (_String1="wksta", _String2="VEEAM") returned 1 [0290.325] _wcsicmp (_String1="prdr", _String2="VEEAM") returned -6 [0290.325] _wcsicmp (_String1="devrdr", _String2="VEEAM") returned -18 [0290.325] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAM") returned -10 [0290.325] _wcsicmp (_String1="server", _String2="VEEAM") returned -3 [0290.325] _wcsicmp (_String1="svr", _String2="VEEAM") returned -3 [0290.325] _wcsicmp (_String1="srv", _String2="VEEAM") returned -3 [0290.325] _wcsicmp (_String1="lanmanserver", _String2="VEEAM") returned -10 [0290.325] _wcsicmp (_String1="alerter", _String2="VEEAM") returned -21 [0290.325] _wcsicmp (_String1="netlogon", _String2="VEEAM") returned -8 [0290.325] _wcsicmp (_String1="VEEAM", _String2="WORKSTATION") returned -1 [0290.325] _wcsicmp (_String1="VEEAM", _String2="LanmanWorkstation") returned 10 [0290.325] _wcsicmp (_String1="VEEAM", _String2="SERVER") returned 3 [0290.325] _wcsicmp (_String1="VEEAM", _String2="LanmanServer") returned 10 [0290.325] _wcsicmp (_String1="VEEAM", _String2="BROWSER") returned 20 [0290.325] _wcsicmp (_String1="VEEAM", _String2="BROWSER") returned 20 [0290.325] _wcsicmp (_String1="VEEAM", _String2="MESSENGER") returned 9 [0290.325] _wcsicmp (_String1="VEEAM", _String2="MESSENGER") returned 9 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETRUN") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETRUN") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="SPOOLER") returned 3 [0290.326] _wcsicmp (_String1="VEEAM", _String2="SPOOLER") returned 3 [0290.326] _wcsicmp (_String1="VEEAM", _String2="ALERTER") returned 21 [0290.326] _wcsicmp (_String1="VEEAM", _String2="ALERTER") returned 21 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETLOGON") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETLOGON") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETPOPUP") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="NETPOPUP") returned 8 [0290.326] _wcsicmp (_String1="VEEAM", _String2="SQLSERVER") returned 3 [0290.326] _wcsicmp (_String1="VEEAM", _String2="SQLSERVER") returned 3 [0290.326] _wcsicmp (_String1="VEEAM", _String2="REPLICATOR") returned 4 [0290.326] _wcsicmp (_String1="VEEAM", _String2="REPLICATOR") returned 4 [0290.326] _wcsicmp (_String1="VEEAM", _String2="REMOTEBOOT") returned 4 [0290.326] _wcsicmp (_String1="VEEAM", _String2="REMOTEBOOT") returned 4 [0290.326] _wcsicmp (_String1="VEEAM", _String2="TIMESOURCE") returned 2 [0290.327] _wcsicmp (_String1="VEEAM", _String2="TIMESOURCE") returned 2 [0290.327] _wcsicmp (_String1="VEEAM", _String2="AFP") returned 21 [0290.327] _wcsicmp (_String1="VEEAM", _String2="AFP") returned 21 [0290.327] _wcsicmp (_String1="VEEAM", _String2="UPS") returned 1 [0290.327] _wcsicmp (_String1="VEEAM", _String2="UPS") returned 1 [0290.327] _wcsicmp (_String1="VEEAM", _String2="XACTSRV") returned -2 [0290.327] _wcsicmp (_String1="VEEAM", _String2="XACTSRV") returned -2 [0290.327] _wcsicmp (_String1="VEEAM", _String2="TCPIP") returned 2 [0290.327] _wcsicmp (_String1="VEEAM", _String2="TCPIP") returned 2 [0290.327] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3470850 [0290.328] OpenServiceW (hSCManager=0x3470850, lpServiceName="VEEAM", dwDesiredAccess=0x84) returned 0x0 [0290.328] GetLastError () returned 0x424 [0290.328] CloseServiceHandle (hSCObject=0x3470850) returned 1 [0290.329] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0290.329] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2fb0002 [0290.330] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2fb0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0290.331] GetFileType (hFile=0x94) returned 0x2 [0290.331] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f3f71c | out: lpMode=0x2f3f71c) returned 1 [0290.331] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2f3f728, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f3f728*=0x1e) returned 1 [0290.332] GetFileType (hFile=0x94) returned 0x2 [0290.332] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f3f71c | out: lpMode=0x2f3f71c) returned 1 [0290.332] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f3f728, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f3f728*=0x2) returned 1 [0290.332] _ultow (in: _Dest=0x889, _Radix=49543024 | out: _Dest=0x889) returned="2185" [0290.332] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2fb0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0290.333] GetFileType (hFile=0x94) returned 0x2 [0290.333] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f3f740 | out: lpMode=0x2f3f740) returned 1 [0290.333] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2f3f74c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f3f74c*=0x34) returned 1 [0290.333] GetFileType (hFile=0x94) returned 0x2 [0290.333] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f3f740 | out: lpMode=0x2f3f740) returned 1 [0290.334] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f3f74c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f3f74c*=0x2) returned 1 [0290.334] NetApiBufferFree (Buffer=0x3467e18) returned 0x0 [0290.334] NetApiBufferFree (Buffer=0x3467cf8) returned 0x0 [0290.334] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop veeam /y" [0290.334] exit (_Code=2) Thread: id = 178 os_tid = 0x10d0 Process: id = "73" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x55404000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop PDVFSService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 179 os_tid = 0x1174 Thread: id = 183 os_tid = 0xd10 Process: id = "74" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5ecf1000" os_pid = "0x58c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0x10d4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 180 os_tid = 0xda8 Thread: id = 181 os_tid = 0xa08 Thread: id = 182 os_tid = 0xd50 Process: id = "75" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x139f1000" os_pid = "0x484" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0x10d4" cmd_line = "C:\\WINDOWS\\system32\\net1 stop PDVFSService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 184 os_tid = 0xf60 [0291.043] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0291.043] __set_app_type (_Type=0x1) [0291.043] __p__fmode () returned 0x776f3c14 [0291.043] __p__commode () returned 0x776f49ec [0291.043] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0291.043] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0291.043] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0291.043] GetConsoleOutputCP () returned 0x1b5 [0291.044] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0291.044] SetThreadUILanguage (LangId=0x0) returned 0x2dd0409 [0291.046] sprintf_s (in: _DstBuf=0x2e7f9e4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0291.047] setlocale (category=0, locale=".437") returned="English_United States.437" [0291.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0291.048] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.048] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop PDVFSService /y" [0291.048] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e7f78c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0291.048] RtlAllocateHeap (HeapHandle=0x2f30000, Flags=0x0, Size=0x6c) returned 0x2f37880 [0291.048] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0291.048] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2e7f788 | out: Buffer=0x2e7f788*=0x2f38568) returned 0x0 [0291.048] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2e7f784 | out: Buffer=0x2e7f784*=0x2f385f8) returned 0x0 [0291.049] __iob_func () returned 0x776f2608 [0291.049] _fileno (_File=0x776f2608) returned 0 [0291.049] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0291.049] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0291.049] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0291.049] _wcsicmp (_String1="config", _String2="stop") returned -16 [0291.049] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0291.049] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0291.049] _wcsicmp (_String1="file", _String2="stop") returned -13 [0291.049] _wcsicmp (_String1="files", _String2="stop") returned -13 [0291.049] _wcsicmp (_String1="group", _String2="stop") returned -12 [0291.049] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0291.049] _wcsicmp (_String1="help", _String2="stop") returned -11 [0291.049] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0291.049] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0291.049] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0291.049] _wcsicmp (_String1="session", _String2="stop") returned -15 [0291.049] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0291.049] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0291.049] _wcsicmp (_String1="share", _String2="stop") returned -12 [0291.049] _wcsicmp (_String1="start", _String2="stop") returned -14 [0291.049] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0291.049] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0291.049] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0291.049] _wcsicmp (_String1="accounts", _String2="PDVFSService") returned -15 [0291.049] _wcsicmp (_String1="computer", _String2="PDVFSService") returned -13 [0291.049] _wcsicmp (_String1="config", _String2="PDVFSService") returned -13 [0291.049] _wcsicmp (_String1="continue", _String2="PDVFSService") returned -13 [0291.049] _wcsicmp (_String1="cont", _String2="PDVFSService") returned -13 [0291.049] _wcsicmp (_String1="file", _String2="PDVFSService") returned -10 [0291.049] _wcsicmp (_String1="files", _String2="PDVFSService") returned -10 [0291.050] _wcsicmp (_String1="group", _String2="PDVFSService") returned -9 [0291.050] _wcsicmp (_String1="groups", _String2="PDVFSService") returned -9 [0291.050] _wcsicmp (_String1="help", _String2="PDVFSService") returned -8 [0291.050] _wcsicmp (_String1="helpmsg", _String2="PDVFSService") returned -8 [0291.050] _wcsicmp (_String1="localgroup", _String2="PDVFSService") returned -4 [0291.050] _wcsicmp (_String1="pause", _String2="PDVFSService") returned -3 [0291.050] _wcsicmp (_String1="session", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="sessions", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="sess", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="share", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="start", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="stats", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="statistics", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="stop", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="time", _String2="PDVFSService") returned 4 [0291.050] _wcsicmp (_String1="user", _String2="PDVFSService") returned 5 [0291.050] _wcsicmp (_String1="users", _String2="PDVFSService") returned 5 [0291.050] _wcsicmp (_String1="msg", _String2="PDVFSService") returned -3 [0291.050] _wcsicmp (_String1="messenger", _String2="PDVFSService") returned -3 [0291.050] _wcsicmp (_String1="receiver", _String2="PDVFSService") returned 2 [0291.050] _wcsicmp (_String1="rcv", _String2="PDVFSService") returned 2 [0291.050] _wcsicmp (_String1="netpopup", _String2="PDVFSService") returned -2 [0291.050] _wcsicmp (_String1="redirector", _String2="PDVFSService") returned 2 [0291.050] _wcsicmp (_String1="redir", _String2="PDVFSService") returned 2 [0291.050] _wcsicmp (_String1="rdr", _String2="PDVFSService") returned 2 [0291.050] _wcsicmp (_String1="workstation", _String2="PDVFSService") returned 7 [0291.050] _wcsicmp (_String1="work", _String2="PDVFSService") returned 7 [0291.050] _wcsicmp (_String1="wksta", _String2="PDVFSService") returned 7 [0291.050] _wcsicmp (_String1="prdr", _String2="PDVFSService") returned 14 [0291.050] _wcsicmp (_String1="devrdr", _String2="PDVFSService") returned -12 [0291.050] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSService") returned -4 [0291.050] _wcsicmp (_String1="server", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="svr", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="srv", _String2="PDVFSService") returned 3 [0291.050] _wcsicmp (_String1="lanmanserver", _String2="PDVFSService") returned -4 [0291.050] _wcsicmp (_String1="alerter", _String2="PDVFSService") returned -15 [0291.050] _wcsicmp (_String1="netlogon", _String2="PDVFSService") returned -2 [0291.051] _wcsupr (in: _String="PDVFSService" | out: _String="PDVFSSERVICE") returned="PDVFSSERVICE" [0291.051] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2f407f0 [0291.054] GetServiceKeyNameW (in: hSCManager=0x2f407f0, lpDisplayName="PDVFSSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2e7f6fc | out: lpServiceName="", lpcchBuffer=0x2e7f6fc) returned 0 [0291.054] _wcsicmp (_String1="msg", _String2="PDVFSSERVICE") returned -3 [0291.054] _wcsicmp (_String1="messenger", _String2="PDVFSSERVICE") returned -3 [0291.054] _wcsicmp (_String1="receiver", _String2="PDVFSSERVICE") returned 2 [0291.054] _wcsicmp (_String1="rcv", _String2="PDVFSSERVICE") returned 2 [0291.054] _wcsicmp (_String1="redirector", _String2="PDVFSSERVICE") returned 2 [0291.055] _wcsicmp (_String1="redir", _String2="PDVFSSERVICE") returned 2 [0291.055] _wcsicmp (_String1="rdr", _String2="PDVFSSERVICE") returned 2 [0291.055] _wcsicmp (_String1="workstation", _String2="PDVFSSERVICE") returned 7 [0291.055] _wcsicmp (_String1="work", _String2="PDVFSSERVICE") returned 7 [0291.055] _wcsicmp (_String1="wksta", _String2="PDVFSSERVICE") returned 7 [0291.055] _wcsicmp (_String1="prdr", _String2="PDVFSSERVICE") returned 14 [0291.055] _wcsicmp (_String1="devrdr", _String2="PDVFSSERVICE") returned -12 [0291.055] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSSERVICE") returned -4 [0291.055] _wcsicmp (_String1="server", _String2="PDVFSSERVICE") returned 3 [0291.055] _wcsicmp (_String1="svr", _String2="PDVFSSERVICE") returned 3 [0291.055] _wcsicmp (_String1="srv", _String2="PDVFSSERVICE") returned 3 [0291.055] _wcsicmp (_String1="lanmanserver", _String2="PDVFSSERVICE") returned -4 [0291.055] _wcsicmp (_String1="alerter", _String2="PDVFSSERVICE") returned -15 [0291.055] _wcsicmp (_String1="netlogon", _String2="PDVFSSERVICE") returned -2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="WORKSTATION") returned -7 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="LanmanWorkstation") returned 4 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="SERVER") returned -3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="LanmanServer") returned 4 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="BROWSER") returned 14 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="BROWSER") returned 14 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="MESSENGER") returned 3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="MESSENGER") returned 3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETRUN") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETRUN") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="SPOOLER") returned -3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="SPOOLER") returned -3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="ALERTER") returned 15 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="ALERTER") returned 15 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETLOGON") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETLOGON") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETPOPUP") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="NETPOPUP") returned 2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="SQLSERVER") returned -3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="SQLSERVER") returned -3 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="REPLICATOR") returned -2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="REPLICATOR") returned -2 [0291.055] _wcsicmp (_String1="PDVFSSERVICE", _String2="REMOTEBOOT") returned -2 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="REMOTEBOOT") returned -2 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="TIMESOURCE") returned -4 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="TIMESOURCE") returned -4 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="AFP") returned 15 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="AFP") returned 15 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="UPS") returned -5 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="UPS") returned -5 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="XACTSRV") returned -8 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="XACTSRV") returned -8 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="TCPIP") returned -4 [0291.056] _wcsicmp (_String1="PDVFSSERVICE", _String2="TCPIP") returned -4 [0291.056] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2f40818 [0291.056] OpenServiceW (hSCManager=0x2f40818, lpServiceName="PDVFSSERVICE", dwDesiredAccess=0x84) returned 0x0 [0291.056] GetLastError () returned 0x424 [0291.057] CloseServiceHandle (hSCObject=0x2f40818) returned 1 [0291.057] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0291.057] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2be0002 [0291.057] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2be0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0291.058] GetFileType (hFile=0x94) returned 0x2 [0291.058] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f58c | out: lpMode=0x2e7f58c) returned 1 [0291.059] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2e7f598, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2e7f598*=0x1e) returned 1 [0291.059] GetFileType (hFile=0x94) returned 0x2 [0291.059] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f58c | out: lpMode=0x2e7f58c) returned 1 [0291.059] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2e7f598, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2e7f598*=0x2) returned 1 [0291.060] _ultow (in: _Dest=0x889, _Radix=48756192 | out: _Dest=0x889) returned="2185" [0291.060] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2be0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0291.060] GetFileType (hFile=0x94) returned 0x2 [0291.060] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f5b0 | out: lpMode=0x2e7f5b0) returned 1 [0291.060] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2e7f5bc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2e7f5bc*=0x34) returned 1 [0291.061] GetFileType (hFile=0x94) returned 0x2 [0291.061] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2e7f5b0 | out: lpMode=0x2e7f5b0) returned 1 [0291.061] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2e7f5bc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2e7f5bc*=0x2) returned 1 [0291.061] NetApiBufferFree (Buffer=0x2f38568) returned 0x0 [0291.061] NetApiBufferFree (Buffer=0x2f385f8) returned 0x0 [0291.061] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop PDVFSService /y" [0291.061] exit (_Code=2) Thread: id = 185 os_tid = 0xdac Process: id = "76" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4487000" os_pid = "0xf3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 186 os_tid = 0xfac Thread: id = 190 os_tid = 0xedc Process: id = "77" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3f338000" os_pid = "0xf4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "76" os_parent_pid = "0xf3c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 187 os_tid = 0xeb8 Thread: id = 188 os_tid = 0xf9c Thread: id = 189 os_tid = 0xeb4 Process: id = "78" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1b5b6000" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "76" os_parent_pid = "0xf3c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 191 os_tid = 0x122c [0291.427] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0291.427] __set_app_type (_Type=0x1) [0291.427] __p__fmode () returned 0x776f3c14 [0291.427] __p__commode () returned 0x776f49ec [0291.427] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0291.427] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0291.427] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0291.427] GetConsoleOutputCP () returned 0x1b5 [0291.428] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0291.428] SetThreadUILanguage (LangId=0x0) returned 0x29d0409 [0291.431] sprintf_s (in: _DstBuf=0x27afb24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0291.431] setlocale (category=0, locale=".437") returned="English_United States.437" [0291.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0291.432] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.433] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecVSSProvider /y" [0291.433] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27af8cc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0291.433] RtlAllocateHeap (HeapHandle=0x2ae0000, Flags=0x0, Size=0x7e) returned 0x2ae45b0 [0291.433] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0291.433] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27af8c8 | out: Buffer=0x27af8c8*=0x2ae7cf8) returned 0x0 [0291.433] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27af8c4 | out: Buffer=0x27af8c4*=0x2ae7d10) returned 0x0 [0291.433] __iob_func () returned 0x776f2608 [0291.433] _fileno (_File=0x776f2608) returned 0 [0291.433] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0291.433] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0291.433] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0291.433] _wcsicmp (_String1="config", _String2="stop") returned -16 [0291.433] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0291.433] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0291.433] _wcsicmp (_String1="file", _String2="stop") returned -13 [0291.433] _wcsicmp (_String1="files", _String2="stop") returned -13 [0291.433] _wcsicmp (_String1="group", _String2="stop") returned -12 [0291.433] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0291.433] _wcsicmp (_String1="help", _String2="stop") returned -11 [0291.433] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0291.433] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0291.433] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0291.433] _wcsicmp (_String1="session", _String2="stop") returned -15 [0291.433] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0291.433] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0291.433] _wcsicmp (_String1="share", _String2="stop") returned -12 [0291.433] _wcsicmp (_String1="start", _String2="stop") returned -14 [0291.433] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0291.434] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0291.434] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0291.434] _wcsicmp (_String1="accounts", _String2="BackupExecVSSProvider") returned -1 [0291.434] _wcsicmp (_String1="computer", _String2="BackupExecVSSProvider") returned 1 [0291.434] _wcsicmp (_String1="config", _String2="BackupExecVSSProvider") returned 1 [0291.434] _wcsicmp (_String1="continue", _String2="BackupExecVSSProvider") returned 1 [0291.434] _wcsicmp (_String1="cont", _String2="BackupExecVSSProvider") returned 1 [0291.434] _wcsicmp (_String1="file", _String2="BackupExecVSSProvider") returned 4 [0291.434] _wcsicmp (_String1="files", _String2="BackupExecVSSProvider") returned 4 [0291.434] _wcsicmp (_String1="group", _String2="BackupExecVSSProvider") returned 5 [0291.434] _wcsicmp (_String1="groups", _String2="BackupExecVSSProvider") returned 5 [0291.434] _wcsicmp (_String1="help", _String2="BackupExecVSSProvider") returned 6 [0291.434] _wcsicmp (_String1="helpmsg", _String2="BackupExecVSSProvider") returned 6 [0291.434] _wcsicmp (_String1="localgroup", _String2="BackupExecVSSProvider") returned 10 [0291.434] _wcsicmp (_String1="pause", _String2="BackupExecVSSProvider") returned 14 [0291.434] _wcsicmp (_String1="session", _String2="BackupExecVSSProvider") returned 17 [0291.434] _wcsicmp (_String1="sessions", _String2="BackupExecVSSProvider") returned 17 [0291.434] _wcsicmp (_String1="sess", _String2="BackupExecVSSProvider") returned 17 [0291.434] _wcsicmp (_String1="share", _String2="BackupExecVSSProvider") returned 17 [0291.434] _wcsicmp (_String1="start", _String2="BackupExecVSSProvider") returned 17 [0291.434] _wcsicmp (_String1="stats", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="statistics", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="stop", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="time", _String2="BackupExecVSSProvider") returned 18 [0291.435] _wcsicmp (_String1="user", _String2="BackupExecVSSProvider") returned 19 [0291.435] _wcsicmp (_String1="users", _String2="BackupExecVSSProvider") returned 19 [0291.435] _wcsicmp (_String1="msg", _String2="BackupExecVSSProvider") returned 11 [0291.435] _wcsicmp (_String1="messenger", _String2="BackupExecVSSProvider") returned 11 [0291.435] _wcsicmp (_String1="receiver", _String2="BackupExecVSSProvider") returned 16 [0291.435] _wcsicmp (_String1="rcv", _String2="BackupExecVSSProvider") returned 16 [0291.435] _wcsicmp (_String1="netpopup", _String2="BackupExecVSSProvider") returned 12 [0291.435] _wcsicmp (_String1="redirector", _String2="BackupExecVSSProvider") returned 16 [0291.435] _wcsicmp (_String1="redir", _String2="BackupExecVSSProvider") returned 16 [0291.435] _wcsicmp (_String1="rdr", _String2="BackupExecVSSProvider") returned 16 [0291.435] _wcsicmp (_String1="workstation", _String2="BackupExecVSSProvider") returned 21 [0291.435] _wcsicmp (_String1="work", _String2="BackupExecVSSProvider") returned 21 [0291.435] _wcsicmp (_String1="wksta", _String2="BackupExecVSSProvider") returned 21 [0291.435] _wcsicmp (_String1="prdr", _String2="BackupExecVSSProvider") returned 14 [0291.435] _wcsicmp (_String1="devrdr", _String2="BackupExecVSSProvider") returned 2 [0291.435] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecVSSProvider") returned 10 [0291.435] _wcsicmp (_String1="server", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="svr", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="srv", _String2="BackupExecVSSProvider") returned 17 [0291.435] _wcsicmp (_String1="lanmanserver", _String2="BackupExecVSSProvider") returned 10 [0291.435] _wcsicmp (_String1="alerter", _String2="BackupExecVSSProvider") returned -1 [0291.435] _wcsicmp (_String1="netlogon", _String2="BackupExecVSSProvider") returned 12 [0291.435] _wcsupr (in: _String="BackupExecVSSProvider" | out: _String="BACKUPEXECVSSPROVIDER") returned="BACKUPEXECVSSPROVIDER" [0291.435] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2af0930 [0291.438] GetServiceKeyNameW (in: hSCManager=0x2af0930, lpDisplayName="BACKUPEXECVSSPROVIDER", lpServiceName=0x1c8c28, lpcchBuffer=0x27af83c | out: lpServiceName="", lpcchBuffer=0x27af83c) returned 0 [0291.439] _wcsicmp (_String1="msg", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0291.439] _wcsicmp (_String1="messenger", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0291.439] _wcsicmp (_String1="receiver", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0291.439] _wcsicmp (_String1="rcv", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0291.439] _wcsicmp (_String1="redirector", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0291.439] _wcsicmp (_String1="redir", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0291.439] _wcsicmp (_String1="rdr", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0291.439] _wcsicmp (_String1="workstation", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0291.439] _wcsicmp (_String1="work", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0291.439] _wcsicmp (_String1="wksta", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0291.439] _wcsicmp (_String1="prdr", _String2="BACKUPEXECVSSPROVIDER") returned 14 [0291.439] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECVSSPROVIDER") returned 2 [0291.439] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0291.439] _wcsicmp (_String1="server", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0291.439] _wcsicmp (_String1="svr", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0291.440] _wcsicmp (_String1="srv", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0291.440] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0291.440] _wcsicmp (_String1="alerter", _String2="BACKUPEXECVSSPROVIDER") returned -1 [0291.440] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECVSSPROVIDER") returned 12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="WORKSTATION") returned -21 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="LanmanWorkstation") returned -10 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="SERVER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="LanmanServer") returned -10 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="BROWSER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="BROWSER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="MESSENGER") returned -11 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="MESSENGER") returned -11 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETRUN") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETRUN") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="SPOOLER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="SPOOLER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="ALERTER") returned 1 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="ALERTER") returned 1 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETLOGON") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETLOGON") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETPOPUP") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="NETPOPUP") returned -12 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="SQLSERVER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="SQLSERVER") returned -17 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="REPLICATOR") returned -16 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="REPLICATOR") returned -16 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="REMOTEBOOT") returned -16 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="REMOTEBOOT") returned -16 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="TIMESOURCE") returned -18 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="TIMESOURCE") returned -18 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="AFP") returned 1 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="AFP") returned 1 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="UPS") returned -19 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="UPS") returned -19 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="XACTSRV") returned -22 [0291.440] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="XACTSRV") returned -22 [0291.441] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="TCPIP") returned -18 [0291.441] _wcsicmp (_String1="BACKUPEXECVSSPROVIDER", _String2="TCPIP") returned -18 [0291.441] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2af09a8 [0291.441] OpenServiceW (hSCManager=0x2af09a8, lpServiceName="BACKUPEXECVSSPROVIDER", dwDesiredAccess=0x84) returned 0x0 [0291.442] GetLastError () returned 0x424 [0291.442] CloseServiceHandle (hSCObject=0x2af09a8) returned 1 [0291.442] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0291.442] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x27f0002 [0291.443] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x27f0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0291.443] GetFileType (hFile=0x94) returned 0x2 [0291.443] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27af6cc | out: lpMode=0x27af6cc) returned 1 [0291.444] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x27af6d8, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x27af6d8*=0x1e) returned 1 [0291.444] GetFileType (hFile=0x94) returned 0x2 [0291.444] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27af6cc | out: lpMode=0x27af6cc) returned 1 [0291.444] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x27af6d8, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x27af6d8*=0x2) returned 1 [0291.445] _ultow (in: _Dest=0x889, _Radix=41613088 | out: _Dest=0x889) returned="2185" [0291.445] FormatMessageW (in: dwFlags=0x2800, lpSource=0x27f0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0291.445] GetFileType (hFile=0x94) returned 0x2 [0291.445] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27af6f0 | out: lpMode=0x27af6f0) returned 1 [0291.445] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x27af6fc, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x27af6fc*=0x34) returned 1 [0291.446] GetFileType (hFile=0x94) returned 0x2 [0291.446] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27af6f0 | out: lpMode=0x27af6f0) returned 1 [0291.446] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x27af6fc, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x27af6fc*=0x2) returned 1 [0291.446] NetApiBufferFree (Buffer=0x2ae7cf8) returned 0x0 [0291.446] NetApiBufferFree (Buffer=0x2ae7d10) returned 0x0 [0291.446] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecVSSProvider /y" [0291.446] exit (_Code=2) Thread: id = 192 os_tid = 0xee4 Process: id = "79" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1c98c000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 193 os_tid = 0xff0 Thread: id = 197 os_tid = 0xa84 Process: id = "80" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59e73000" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "79" os_parent_pid = "0xba0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 194 os_tid = 0xdc0 Thread: id = 195 os_tid = 0xe90 Thread: id = 196 os_tid = 0x79c Process: id = "81" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x100f0000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "79" os_parent_pid = "0xba0" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 198 os_tid = 0x518 [0291.885] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0291.885] __set_app_type (_Type=0x1) [0291.885] __p__fmode () returned 0x776f3c14 [0291.885] __p__commode () returned 0x776f49ec [0291.885] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0291.885] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0291.885] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0291.885] GetConsoleOutputCP () returned 0x1b5 [0291.886] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0291.886] SetThreadUILanguage (LangId=0x0) returned 0x2570409 [0291.889] sprintf_s (in: _DstBuf=0x26df9c8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0291.889] setlocale (category=0, locale=".437") returned="English_United States.437" [0291.891] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0291.891] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0291.891] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecAgentAccelerator /y" [0291.891] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26df770, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0291.891] RtlAllocateHeap (HeapHandle=0x2820000, Flags=0x0, Size=0x88) returned 0x28245c0 [0291.891] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0291.891] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26df76c | out: Buffer=0x26df76c*=0x2827d50) returned 0x0 [0291.891] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26df768 | out: Buffer=0x26df768*=0x2827d68) returned 0x0 [0291.891] __iob_func () returned 0x776f2608 [0291.891] _fileno (_File=0x776f2608) returned 0 [0291.891] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0291.891] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0291.891] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0291.891] _wcsicmp (_String1="config", _String2="stop") returned -16 [0291.891] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0291.891] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0291.891] _wcsicmp (_String1="file", _String2="stop") returned -13 [0291.891] _wcsicmp (_String1="files", _String2="stop") returned -13 [0291.891] _wcsicmp (_String1="group", _String2="stop") returned -12 [0291.891] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0291.891] _wcsicmp (_String1="help", _String2="stop") returned -11 [0291.892] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0291.892] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0291.892] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0291.892] _wcsicmp (_String1="session", _String2="stop") returned -15 [0291.892] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0291.892] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0291.892] _wcsicmp (_String1="share", _String2="stop") returned -12 [0291.892] _wcsicmp (_String1="start", _String2="stop") returned -14 [0291.892] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0291.892] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0291.892] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0291.892] _wcsicmp (_String1="accounts", _String2="BackupExecAgentAccelerator") returned -1 [0291.892] _wcsicmp (_String1="computer", _String2="BackupExecAgentAccelerator") returned 1 [0291.892] _wcsicmp (_String1="config", _String2="BackupExecAgentAccelerator") returned 1 [0291.892] _wcsicmp (_String1="continue", _String2="BackupExecAgentAccelerator") returned 1 [0291.892] _wcsicmp (_String1="cont", _String2="BackupExecAgentAccelerator") returned 1 [0291.892] _wcsicmp (_String1="file", _String2="BackupExecAgentAccelerator") returned 4 [0291.892] _wcsicmp (_String1="files", _String2="BackupExecAgentAccelerator") returned 4 [0291.892] _wcsicmp (_String1="group", _String2="BackupExecAgentAccelerator") returned 5 [0291.892] _wcsicmp (_String1="groups", _String2="BackupExecAgentAccelerator") returned 5 [0291.892] _wcsicmp (_String1="help", _String2="BackupExecAgentAccelerator") returned 6 [0291.892] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentAccelerator") returned 6 [0291.892] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentAccelerator") returned 10 [0291.892] _wcsicmp (_String1="pause", _String2="BackupExecAgentAccelerator") returned 14 [0291.892] _wcsicmp (_String1="session", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="sessions", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="sess", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="share", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="start", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="stats", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="statistics", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="stop", _String2="BackupExecAgentAccelerator") returned 17 [0291.892] _wcsicmp (_String1="time", _String2="BackupExecAgentAccelerator") returned 18 [0291.892] _wcsicmp (_String1="user", _String2="BackupExecAgentAccelerator") returned 19 [0291.892] _wcsicmp (_String1="users", _String2="BackupExecAgentAccelerator") returned 19 [0291.892] _wcsicmp (_String1="msg", _String2="BackupExecAgentAccelerator") returned 11 [0291.893] _wcsicmp (_String1="messenger", _String2="BackupExecAgentAccelerator") returned 11 [0291.893] _wcsicmp (_String1="receiver", _String2="BackupExecAgentAccelerator") returned 16 [0291.893] _wcsicmp (_String1="rcv", _String2="BackupExecAgentAccelerator") returned 16 [0291.893] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentAccelerator") returned 12 [0291.893] _wcsicmp (_String1="redirector", _String2="BackupExecAgentAccelerator") returned 16 [0291.893] _wcsicmp (_String1="redir", _String2="BackupExecAgentAccelerator") returned 16 [0291.893] _wcsicmp (_String1="rdr", _String2="BackupExecAgentAccelerator") returned 16 [0291.893] _wcsicmp (_String1="workstation", _String2="BackupExecAgentAccelerator") returned 21 [0291.893] _wcsicmp (_String1="work", _String2="BackupExecAgentAccelerator") returned 21 [0291.893] _wcsicmp (_String1="wksta", _String2="BackupExecAgentAccelerator") returned 21 [0291.893] _wcsicmp (_String1="prdr", _String2="BackupExecAgentAccelerator") returned 14 [0291.893] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentAccelerator") returned 2 [0291.893] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentAccelerator") returned 10 [0291.893] _wcsicmp (_String1="server", _String2="BackupExecAgentAccelerator") returned 17 [0291.893] _wcsicmp (_String1="svr", _String2="BackupExecAgentAccelerator") returned 17 [0291.893] _wcsicmp (_String1="srv", _String2="BackupExecAgentAccelerator") returned 17 [0291.893] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentAccelerator") returned 10 [0291.893] _wcsicmp (_String1="alerter", _String2="BackupExecAgentAccelerator") returned -1 [0291.893] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentAccelerator") returned 12 [0291.893] _wcsupr (in: _String="BackupExecAgentAccelerator" | out: _String="BACKUPEXECAGENTACCELERATOR") returned="BACKUPEXECAGENTACCELERATOR" [0291.893] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2830818 [0291.896] GetServiceKeyNameW (in: hSCManager=0x2830818, lpDisplayName="BACKUPEXECAGENTACCELERATOR", lpServiceName=0x1c8c28, lpcchBuffer=0x26df6dc | out: lpServiceName="", lpcchBuffer=0x26df6dc) returned 0 [0291.897] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0291.897] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0291.897] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0291.897] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0291.897] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0291.897] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0291.897] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0291.897] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0291.897] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0291.897] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0291.897] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 14 [0291.897] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 2 [0291.897] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0291.897] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0291.897] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0291.897] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0291.897] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0291.897] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTACCELERATOR") returned -1 [0291.897] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTACCELERATOR") returned 12 [0291.897] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="WORKSTATION") returned -21 [0291.897] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="LanmanWorkstation") returned -10 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="SERVER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="LanmanServer") returned -10 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="BROWSER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="BROWSER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="MESSENGER") returned -11 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="MESSENGER") returned -11 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETRUN") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETRUN") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="SPOOLER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="SPOOLER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="ALERTER") returned 1 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="ALERTER") returned 1 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETLOGON") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETLOGON") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETPOPUP") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="NETPOPUP") returned -12 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="SQLSERVER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="SQLSERVER") returned -17 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="REPLICATOR") returned -16 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="REPLICATOR") returned -16 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="REMOTEBOOT") returned -16 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="REMOTEBOOT") returned -16 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="TIMESOURCE") returned -18 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="TIMESOURCE") returned -18 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="AFP") returned 1 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="AFP") returned 1 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="UPS") returned -19 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="UPS") returned -19 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="XACTSRV") returned -22 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="XACTSRV") returned -22 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="TCPIP") returned -18 [0291.898] _wcsicmp (_String1="BACKUPEXECAGENTACCELERATOR", _String2="TCPIP") returned -18 [0291.898] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2830ac0 [0291.899] OpenServiceW (hSCManager=0x2830ac0, lpServiceName="BACKUPEXECAGENTACCELERATOR", dwDesiredAccess=0x84) returned 0x0 [0291.899] GetLastError () returned 0x424 [0291.899] CloseServiceHandle (hSCObject=0x2830ac0) returned 1 [0291.899] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0291.899] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2700002 [0291.900] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2700002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0291.901] GetFileType (hFile=0x94) returned 0x2 [0291.901] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26df56c | out: lpMode=0x26df56c) returned 1 [0291.901] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26df578, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26df578*=0x1e) returned 1 [0291.901] GetFileType (hFile=0x94) returned 0x2 [0291.901] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26df56c | out: lpMode=0x26df56c) returned 1 [0291.902] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26df578, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26df578*=0x2) returned 1 [0291.902] _ultow (in: _Dest=0x889, _Radix=40760768 | out: _Dest=0x889) returned="2185" [0291.902] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2700002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0291.902] GetFileType (hFile=0x94) returned 0x2 [0291.902] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26df590 | out: lpMode=0x26df590) returned 1 [0291.903] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26df59c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26df59c*=0x34) returned 1 [0291.903] GetFileType (hFile=0x94) returned 0x2 [0291.903] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26df590 | out: lpMode=0x26df590) returned 1 [0291.903] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26df59c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26df59c*=0x2) returned 1 [0291.904] NetApiBufferFree (Buffer=0x2827d50) returned 0x0 [0291.904] NetApiBufferFree (Buffer=0x2827d68) returned 0x0 [0291.904] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecAgentAccelerator /y" [0291.904] exit (_Code=2) Thread: id = 199 os_tid = 0xd78 Process: id = "82" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x9111000" os_pid = "0x1224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 200 os_tid = 0xd94 Thread: id = 204 os_tid = 0x824 Process: id = "83" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x100f0000" os_pid = "0x100c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x1224" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 201 os_tid = 0xf74 Thread: id = 202 os_tid = 0x1134 Thread: id = 203 os_tid = 0xe84 Process: id = "84" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1a5ee000" os_pid = "0x764" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x1224" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 205 os_tid = 0xa10 [0292.259] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0292.259] __set_app_type (_Type=0x1) [0292.259] __p__fmode () returned 0x776f3c14 [0292.259] __p__commode () returned 0x776f49ec [0292.259] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0292.259] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0292.259] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0292.259] GetConsoleOutputCP () returned 0x1b5 [0292.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0292.260] SetThreadUILanguage (LangId=0x0) returned 0x2940409 [0292.263] sprintf_s (in: _DstBuf=0x27bfc54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0292.263] setlocale (category=0, locale=".437") returned="English_United States.437" [0292.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0292.265] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0292.265] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecAgentBrowser /y" [0292.265] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27bf9fc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0292.265] RtlAllocateHeap (HeapHandle=0x2c90000, Flags=0x0, Size=0x80) returned 0x2c945b0 [0292.265] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0292.265] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27bf9f8 | out: Buffer=0x27bf9f8*=0x2c97cf8) returned 0x0 [0292.265] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27bf9f4 | out: Buffer=0x27bf9f4*=0x2c97d28) returned 0x0 [0292.265] __iob_func () returned 0x776f2608 [0292.265] _fileno (_File=0x776f2608) returned 0 [0292.265] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0292.265] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0292.266] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0292.266] _wcsicmp (_String1="config", _String2="stop") returned -16 [0292.266] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0292.266] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0292.266] _wcsicmp (_String1="file", _String2="stop") returned -13 [0292.266] _wcsicmp (_String1="files", _String2="stop") returned -13 [0292.266] _wcsicmp (_String1="group", _String2="stop") returned -12 [0292.266] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0292.266] _wcsicmp (_String1="help", _String2="stop") returned -11 [0292.266] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0292.266] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0292.266] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0292.266] _wcsicmp (_String1="session", _String2="stop") returned -15 [0292.266] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0292.266] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0292.266] _wcsicmp (_String1="share", _String2="stop") returned -12 [0292.266] _wcsicmp (_String1="start", _String2="stop") returned -14 [0292.266] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0292.266] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0292.266] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0292.266] _wcsicmp (_String1="accounts", _String2="BackupExecAgentBrowser") returned -1 [0292.266] _wcsicmp (_String1="computer", _String2="BackupExecAgentBrowser") returned 1 [0292.266] _wcsicmp (_String1="config", _String2="BackupExecAgentBrowser") returned 1 [0292.266] _wcsicmp (_String1="continue", _String2="BackupExecAgentBrowser") returned 1 [0292.266] _wcsicmp (_String1="cont", _String2="BackupExecAgentBrowser") returned 1 [0292.266] _wcsicmp (_String1="file", _String2="BackupExecAgentBrowser") returned 4 [0292.266] _wcsicmp (_String1="files", _String2="BackupExecAgentBrowser") returned 4 [0292.266] _wcsicmp (_String1="group", _String2="BackupExecAgentBrowser") returned 5 [0292.266] _wcsicmp (_String1="groups", _String2="BackupExecAgentBrowser") returned 5 [0292.266] _wcsicmp (_String1="help", _String2="BackupExecAgentBrowser") returned 6 [0292.266] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentBrowser") returned 6 [0292.266] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentBrowser") returned 10 [0292.266] _wcsicmp (_String1="pause", _String2="BackupExecAgentBrowser") returned 14 [0292.266] _wcsicmp (_String1="session", _String2="BackupExecAgentBrowser") returned 17 [0292.266] _wcsicmp (_String1="sessions", _String2="BackupExecAgentBrowser") returned 17 [0292.266] _wcsicmp (_String1="sess", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="share", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="start", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="stats", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="statistics", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="stop", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="time", _String2="BackupExecAgentBrowser") returned 18 [0292.267] _wcsicmp (_String1="user", _String2="BackupExecAgentBrowser") returned 19 [0292.267] _wcsicmp (_String1="users", _String2="BackupExecAgentBrowser") returned 19 [0292.267] _wcsicmp (_String1="msg", _String2="BackupExecAgentBrowser") returned 11 [0292.267] _wcsicmp (_String1="messenger", _String2="BackupExecAgentBrowser") returned 11 [0292.267] _wcsicmp (_String1="receiver", _String2="BackupExecAgentBrowser") returned 16 [0292.267] _wcsicmp (_String1="rcv", _String2="BackupExecAgentBrowser") returned 16 [0292.267] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentBrowser") returned 12 [0292.267] _wcsicmp (_String1="redirector", _String2="BackupExecAgentBrowser") returned 16 [0292.267] _wcsicmp (_String1="redir", _String2="BackupExecAgentBrowser") returned 16 [0292.267] _wcsicmp (_String1="rdr", _String2="BackupExecAgentBrowser") returned 16 [0292.267] _wcsicmp (_String1="workstation", _String2="BackupExecAgentBrowser") returned 21 [0292.267] _wcsicmp (_String1="work", _String2="BackupExecAgentBrowser") returned 21 [0292.267] _wcsicmp (_String1="wksta", _String2="BackupExecAgentBrowser") returned 21 [0292.267] _wcsicmp (_String1="prdr", _String2="BackupExecAgentBrowser") returned 14 [0292.267] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentBrowser") returned 2 [0292.267] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentBrowser") returned 10 [0292.267] _wcsicmp (_String1="server", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="svr", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="srv", _String2="BackupExecAgentBrowser") returned 17 [0292.267] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentBrowser") returned 10 [0292.267] _wcsicmp (_String1="alerter", _String2="BackupExecAgentBrowser") returned -1 [0292.267] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentBrowser") returned 12 [0292.267] _wcsupr (in: _String="BackupExecAgentBrowser" | out: _String="BACKUPEXECAGENTBROWSER") returned="BACKUPEXECAGENTBROWSER" [0292.267] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ca0a98 [0292.270] GetServiceKeyNameW (in: hSCManager=0x2ca0a98, lpDisplayName="BACKUPEXECAGENTBROWSER", lpServiceName=0x1c8c28, lpcchBuffer=0x27bf96c | out: lpServiceName="", lpcchBuffer=0x27bf96c) returned 0 [0292.271] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0292.271] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0292.271] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0292.271] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0292.271] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0292.271] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0292.271] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0292.271] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0292.271] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0292.271] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0292.271] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTBROWSER") returned 14 [0292.271] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTBROWSER") returned 2 [0292.271] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0292.271] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0292.271] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0292.271] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0292.272] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0292.272] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTBROWSER") returned -1 [0292.272] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTBROWSER") returned 12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="WORKSTATION") returned -21 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="LanmanWorkstation") returned -10 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="SERVER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="LanmanServer") returned -10 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="BROWSER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="BROWSER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="MESSENGER") returned -11 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="MESSENGER") returned -11 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETRUN") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETRUN") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="SPOOLER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="SPOOLER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="ALERTER") returned 1 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="ALERTER") returned 1 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETLOGON") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETLOGON") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETPOPUP") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="NETPOPUP") returned -12 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="SQLSERVER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="SQLSERVER") returned -17 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="REPLICATOR") returned -16 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="REPLICATOR") returned -16 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="REMOTEBOOT") returned -16 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="REMOTEBOOT") returned -16 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="TIMESOURCE") returned -18 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="TIMESOURCE") returned -18 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="AFP") returned 1 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="AFP") returned 1 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="UPS") returned -19 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="UPS") returned -19 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="XACTSRV") returned -22 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="XACTSRV") returned -22 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="TCPIP") returned -18 [0292.272] _wcsicmp (_String1="BACKUPEXECAGENTBROWSER", _String2="TCPIP") returned -18 [0292.273] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2ca0778 [0292.273] OpenServiceW (hSCManager=0x2ca0778, lpServiceName="BACKUPEXECAGENTBROWSER", dwDesiredAccess=0x84) returned 0x0 [0292.273] GetLastError () returned 0x424 [0292.273] CloseServiceHandle (hSCObject=0x2ca0778) returned 1 [0292.273] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0292.273] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x27f0002 [0292.274] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x27f0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0292.275] GetFileType (hFile=0x94) returned 0x2 [0292.275] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27bf7fc | out: lpMode=0x27bf7fc) returned 1 [0292.275] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x27bf808, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x27bf808*=0x1e) returned 1 [0292.276] GetFileType (hFile=0x94) returned 0x2 [0292.276] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27bf7fc | out: lpMode=0x27bf7fc) returned 1 [0292.276] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x27bf808, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x27bf808*=0x2) returned 1 [0292.276] _ultow (in: _Dest=0x889, _Radix=41678928 | out: _Dest=0x889) returned="2185" [0292.276] FormatMessageW (in: dwFlags=0x2800, lpSource=0x27f0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0292.276] GetFileType (hFile=0x94) returned 0x2 [0292.277] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27bf820 | out: lpMode=0x27bf820) returned 1 [0292.277] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x27bf82c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x27bf82c*=0x34) returned 1 [0292.277] GetFileType (hFile=0x94) returned 0x2 [0292.277] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x27bf820 | out: lpMode=0x27bf820) returned 1 [0292.277] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x27bf82c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x27bf82c*=0x2) returned 1 [0292.278] NetApiBufferFree (Buffer=0x2c97cf8) returned 0x0 [0292.278] NetApiBufferFree (Buffer=0x2c97d28) returned 0x0 [0292.278] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecAgentBrowser /y" [0292.278] exit (_Code=2) Thread: id = 206 os_tid = 0xe70 Process: id = "85" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x79b96000" os_pid = "0x114c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecDiveciMediaService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 207 os_tid = 0x3b8 Thread: id = 211 os_tid = 0x2d4 Process: id = "86" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1a2d1000" os_pid = "0x728" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "85" os_parent_pid = "0x114c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 208 os_tid = 0x1fc Thread: id = 209 os_tid = 0xdec Thread: id = 210 os_tid = 0x5f0 Process: id = "87" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5eb51000" os_pid = "0xdb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "85" os_parent_pid = "0x114c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecDiveciMediaService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 212 os_tid = 0xe64 [0292.792] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0292.792] __set_app_type (_Type=0x1) [0292.792] __p__fmode () returned 0x776f3c14 [0292.793] __p__commode () returned 0x776f49ec [0292.793] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0292.793] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0292.793] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0292.793] GetConsoleOutputCP () returned 0x1b5 [0292.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0292.793] SetThreadUILanguage (LangId=0x0) returned 0x2a90409 [0292.796] sprintf_s (in: _DstBuf=0x295fa1c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0292.796] setlocale (category=0, locale=".437") returned="English_United States.437" [0292.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0292.798] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0292.798] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecDiveciMediaService /y" [0292.798] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x295f7c4, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0292.798] RtlAllocateHeap (HeapHandle=0x2e90000, Flags=0x0, Size=0x8c) returned 0x2e93928 [0292.798] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0292.798] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x295f7c0 | out: Buffer=0x295f7c0*=0x2e97e00) returned 0x0 [0292.798] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x295f7bc | out: Buffer=0x295f7bc*=0x2e97e18) returned 0x0 [0292.798] __iob_func () returned 0x776f2608 [0292.798] _fileno (_File=0x776f2608) returned 0 [0292.798] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0292.799] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0292.799] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0292.799] _wcsicmp (_String1="config", _String2="stop") returned -16 [0292.799] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0292.799] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0292.799] _wcsicmp (_String1="file", _String2="stop") returned -13 [0292.799] _wcsicmp (_String1="files", _String2="stop") returned -13 [0292.799] _wcsicmp (_String1="group", _String2="stop") returned -12 [0292.799] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0292.799] _wcsicmp (_String1="help", _String2="stop") returned -11 [0292.799] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0292.799] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0292.799] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0292.799] _wcsicmp (_String1="session", _String2="stop") returned -15 [0292.799] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0292.799] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0292.799] _wcsicmp (_String1="share", _String2="stop") returned -12 [0292.799] _wcsicmp (_String1="start", _String2="stop") returned -14 [0292.799] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0292.799] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0292.799] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0292.799] _wcsicmp (_String1="accounts", _String2="BackupExecDiveciMediaService") returned -1 [0292.799] _wcsicmp (_String1="computer", _String2="BackupExecDiveciMediaService") returned 1 [0292.799] _wcsicmp (_String1="config", _String2="BackupExecDiveciMediaService") returned 1 [0292.799] _wcsicmp (_String1="continue", _String2="BackupExecDiveciMediaService") returned 1 [0292.799] _wcsicmp (_String1="cont", _String2="BackupExecDiveciMediaService") returned 1 [0292.799] _wcsicmp (_String1="file", _String2="BackupExecDiveciMediaService") returned 4 [0292.799] _wcsicmp (_String1="files", _String2="BackupExecDiveciMediaService") returned 4 [0292.799] _wcsicmp (_String1="group", _String2="BackupExecDiveciMediaService") returned 5 [0292.799] _wcsicmp (_String1="groups", _String2="BackupExecDiveciMediaService") returned 5 [0292.799] _wcsicmp (_String1="help", _String2="BackupExecDiveciMediaService") returned 6 [0292.799] _wcsicmp (_String1="helpmsg", _String2="BackupExecDiveciMediaService") returned 6 [0292.799] _wcsicmp (_String1="localgroup", _String2="BackupExecDiveciMediaService") returned 10 [0292.799] _wcsicmp (_String1="pause", _String2="BackupExecDiveciMediaService") returned 14 [0292.800] _wcsicmp (_String1="session", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="sessions", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="sess", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="share", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="start", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="stats", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="statistics", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="stop", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="time", _String2="BackupExecDiveciMediaService") returned 18 [0292.800] _wcsicmp (_String1="user", _String2="BackupExecDiveciMediaService") returned 19 [0292.800] _wcsicmp (_String1="users", _String2="BackupExecDiveciMediaService") returned 19 [0292.800] _wcsicmp (_String1="msg", _String2="BackupExecDiveciMediaService") returned 11 [0292.800] _wcsicmp (_String1="messenger", _String2="BackupExecDiveciMediaService") returned 11 [0292.800] _wcsicmp (_String1="receiver", _String2="BackupExecDiveciMediaService") returned 16 [0292.800] _wcsicmp (_String1="rcv", _String2="BackupExecDiveciMediaService") returned 16 [0292.800] _wcsicmp (_String1="netpopup", _String2="BackupExecDiveciMediaService") returned 12 [0292.800] _wcsicmp (_String1="redirector", _String2="BackupExecDiveciMediaService") returned 16 [0292.800] _wcsicmp (_String1="redir", _String2="BackupExecDiveciMediaService") returned 16 [0292.800] _wcsicmp (_String1="rdr", _String2="BackupExecDiveciMediaService") returned 16 [0292.800] _wcsicmp (_String1="workstation", _String2="BackupExecDiveciMediaService") returned 21 [0292.800] _wcsicmp (_String1="work", _String2="BackupExecDiveciMediaService") returned 21 [0292.800] _wcsicmp (_String1="wksta", _String2="BackupExecDiveciMediaService") returned 21 [0292.800] _wcsicmp (_String1="prdr", _String2="BackupExecDiveciMediaService") returned 14 [0292.800] _wcsicmp (_String1="devrdr", _String2="BackupExecDiveciMediaService") returned 2 [0292.800] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecDiveciMediaService") returned 10 [0292.800] _wcsicmp (_String1="server", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="svr", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="srv", _String2="BackupExecDiveciMediaService") returned 17 [0292.800] _wcsicmp (_String1="lanmanserver", _String2="BackupExecDiveciMediaService") returned 10 [0292.800] _wcsicmp (_String1="alerter", _String2="BackupExecDiveciMediaService") returned -1 [0292.800] _wcsicmp (_String1="netlogon", _String2="BackupExecDiveciMediaService") returned 12 [0292.800] _wcsupr (in: _String="BackupExecDiveciMediaService" | out: _String="BACKUPEXECDIVECIMEDIASERVICE") returned="BACKUPEXECDIVECIMEDIASERVICE" [0292.800] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ea0838 [0292.804] GetServiceKeyNameW (in: hSCManager=0x2ea0838, lpDisplayName="BACKUPEXECDIVECIMEDIASERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x295f734 | out: lpServiceName="", lpcchBuffer=0x295f734) returned 0 [0292.804] _wcsicmp (_String1="msg", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 11 [0292.804] _wcsicmp (_String1="messenger", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 11 [0292.804] _wcsicmp (_String1="receiver", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 16 [0292.804] _wcsicmp (_String1="rcv", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 16 [0292.804] _wcsicmp (_String1="redirector", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 16 [0292.804] _wcsicmp (_String1="redir", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 16 [0292.805] _wcsicmp (_String1="rdr", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 16 [0292.805] _wcsicmp (_String1="workstation", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 21 [0292.805] _wcsicmp (_String1="work", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 21 [0292.805] _wcsicmp (_String1="wksta", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 21 [0292.805] _wcsicmp (_String1="prdr", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 14 [0292.805] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 2 [0292.805] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 10 [0292.805] _wcsicmp (_String1="server", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 17 [0292.805] _wcsicmp (_String1="svr", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 17 [0292.805] _wcsicmp (_String1="srv", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 17 [0292.805] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 10 [0292.805] _wcsicmp (_String1="alerter", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned -1 [0292.805] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECDIVECIMEDIASERVICE") returned 12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="WORKSTATION") returned -21 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="LanmanWorkstation") returned -10 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="SERVER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="LanmanServer") returned -10 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="BROWSER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="BROWSER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="MESSENGER") returned -11 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="MESSENGER") returned -11 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETRUN") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETRUN") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="SPOOLER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="SPOOLER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="ALERTER") returned 1 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="ALERTER") returned 1 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETLOGON") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETLOGON") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETPOPUP") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="NETPOPUP") returned -12 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="SQLSERVER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="SQLSERVER") returned -17 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="REPLICATOR") returned -16 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="REPLICATOR") returned -16 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="REMOTEBOOT") returned -16 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="REMOTEBOOT") returned -16 [0292.805] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="TIMESOURCE") returned -18 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="TIMESOURCE") returned -18 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="AFP") returned 1 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="AFP") returned 1 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="UPS") returned -19 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="UPS") returned -19 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="XACTSRV") returned -22 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="XACTSRV") returned -22 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="TCPIP") returned -18 [0292.806] _wcsicmp (_String1="BACKUPEXECDIVECIMEDIASERVICE", _String2="TCPIP") returned -18 [0292.806] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2ea09a0 [0292.806] OpenServiceW (hSCManager=0x2ea09a0, lpServiceName="BACKUPEXECDIVECIMEDIASERVICE", dwDesiredAccess=0x84) returned 0x0 [0292.806] GetLastError () returned 0x424 [0292.806] CloseServiceHandle (hSCObject=0x2ea09a0) returned 1 [0292.807] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0292.807] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x29d0002 [0292.807] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x29d0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0292.808] GetFileType (hFile=0x94) returned 0x2 [0292.808] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x295f5c4 | out: lpMode=0x295f5c4) returned 1 [0292.808] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x295f5d0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x295f5d0*=0x1e) returned 1 [0292.809] GetFileType (hFile=0x94) returned 0x2 [0292.809] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x295f5c4 | out: lpMode=0x295f5c4) returned 1 [0292.809] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x295f5d0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x295f5d0*=0x2) returned 1 [0292.810] _ultow (in: _Dest=0x889, _Radix=43382296 | out: _Dest=0x889) returned="2185" [0292.810] FormatMessageW (in: dwFlags=0x2800, lpSource=0x29d0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0292.810] GetFileType (hFile=0x94) returned 0x2 [0292.810] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x295f5e8 | out: lpMode=0x295f5e8) returned 1 [0292.810] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x295f5f4, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x295f5f4*=0x34) returned 1 [0292.810] GetFileType (hFile=0x94) returned 0x2 [0292.810] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x295f5e8 | out: lpMode=0x295f5e8) returned 1 [0292.811] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x295f5f4, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x295f5f4*=0x2) returned 1 [0292.811] NetApiBufferFree (Buffer=0x2e97e00) returned 0x0 [0292.811] NetApiBufferFree (Buffer=0x2e97e18) returned 0x0 [0292.811] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecDiveciMediaService /y" [0292.811] exit (_Code=2) Thread: id = 213 os_tid = 0x6a8 Process: id = "88" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x18f99000" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 214 os_tid = 0xf90 Thread: id = 218 os_tid = 0x1264 Process: id = "89" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x19b08000" os_pid = "0x3cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "88" os_parent_pid = "0xd2c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 215 os_tid = 0xd1c Thread: id = 216 os_tid = 0x13b0 Thread: id = 217 os_tid = 0x368 Process: id = "90" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x79a87000" os_pid = "0x1268" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "88" os_parent_pid = "0xd2c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 219 os_tid = 0x101c [0293.173] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0293.173] __set_app_type (_Type=0x1) [0293.173] __p__fmode () returned 0x776f3c14 [0293.173] __p__commode () returned 0x776f49ec [0293.173] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0293.174] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0293.174] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0293.174] GetConsoleOutputCP () returned 0x1b5 [0293.174] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0293.174] SetThreadUILanguage (LangId=0x0) returned 0x2390409 [0293.177] sprintf_s (in: _DstBuf=0x13f7e0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0293.177] setlocale (category=0, locale=".437") returned="English_United States.437" [0293.179] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0293.179] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0293.179] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecJobEngine /y" [0293.179] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f588, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0293.179] RtlAllocateHeap (HeapHandle=0x2530000, Flags=0x0, Size=0x7a) returned 0x25345a8 [0293.179] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0293.179] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13f584 | out: Buffer=0x13f584*=0x2537cf0) returned 0x0 [0293.179] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13f580 | out: Buffer=0x13f580*=0x2537e10) returned 0x0 [0293.179] __iob_func () returned 0x776f2608 [0293.179] _fileno (_File=0x776f2608) returned 0 [0293.179] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0293.179] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0293.179] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0293.179] _wcsicmp (_String1="config", _String2="stop") returned -16 [0293.179] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0293.179] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0293.179] _wcsicmp (_String1="file", _String2="stop") returned -13 [0293.179] _wcsicmp (_String1="files", _String2="stop") returned -13 [0293.179] _wcsicmp (_String1="group", _String2="stop") returned -12 [0293.179] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0293.179] _wcsicmp (_String1="help", _String2="stop") returned -11 [0293.179] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0293.179] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0293.179] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0293.179] _wcsicmp (_String1="session", _String2="stop") returned -15 [0293.179] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0293.180] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0293.180] _wcsicmp (_String1="share", _String2="stop") returned -12 [0293.180] _wcsicmp (_String1="start", _String2="stop") returned -14 [0293.180] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0293.180] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0293.180] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0293.180] _wcsicmp (_String1="accounts", _String2="BackupExecJobEngine") returned -1 [0293.180] _wcsicmp (_String1="computer", _String2="BackupExecJobEngine") returned 1 [0293.180] _wcsicmp (_String1="config", _String2="BackupExecJobEngine") returned 1 [0293.180] _wcsicmp (_String1="continue", _String2="BackupExecJobEngine") returned 1 [0293.180] _wcsicmp (_String1="cont", _String2="BackupExecJobEngine") returned 1 [0293.180] _wcsicmp (_String1="file", _String2="BackupExecJobEngine") returned 4 [0293.180] _wcsicmp (_String1="files", _String2="BackupExecJobEngine") returned 4 [0293.180] _wcsicmp (_String1="group", _String2="BackupExecJobEngine") returned 5 [0293.180] _wcsicmp (_String1="groups", _String2="BackupExecJobEngine") returned 5 [0293.180] _wcsicmp (_String1="help", _String2="BackupExecJobEngine") returned 6 [0293.180] _wcsicmp (_String1="helpmsg", _String2="BackupExecJobEngine") returned 6 [0293.180] _wcsicmp (_String1="localgroup", _String2="BackupExecJobEngine") returned 10 [0293.180] _wcsicmp (_String1="pause", _String2="BackupExecJobEngine") returned 14 [0293.180] _wcsicmp (_String1="session", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="sessions", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="sess", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="share", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="start", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="stats", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="statistics", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="stop", _String2="BackupExecJobEngine") returned 17 [0293.180] _wcsicmp (_String1="time", _String2="BackupExecJobEngine") returned 18 [0293.180] _wcsicmp (_String1="user", _String2="BackupExecJobEngine") returned 19 [0293.180] _wcsicmp (_String1="users", _String2="BackupExecJobEngine") returned 19 [0293.180] _wcsicmp (_String1="msg", _String2="BackupExecJobEngine") returned 11 [0293.180] _wcsicmp (_String1="messenger", _String2="BackupExecJobEngine") returned 11 [0293.180] _wcsicmp (_String1="receiver", _String2="BackupExecJobEngine") returned 16 [0293.180] _wcsicmp (_String1="rcv", _String2="BackupExecJobEngine") returned 16 [0293.180] _wcsicmp (_String1="netpopup", _String2="BackupExecJobEngine") returned 12 [0293.180] _wcsicmp (_String1="redirector", _String2="BackupExecJobEngine") returned 16 [0293.181] _wcsicmp (_String1="redir", _String2="BackupExecJobEngine") returned 16 [0293.181] _wcsicmp (_String1="rdr", _String2="BackupExecJobEngine") returned 16 [0293.181] _wcsicmp (_String1="workstation", _String2="BackupExecJobEngine") returned 21 [0293.181] _wcsicmp (_String1="work", _String2="BackupExecJobEngine") returned 21 [0293.181] _wcsicmp (_String1="wksta", _String2="BackupExecJobEngine") returned 21 [0293.181] _wcsicmp (_String1="prdr", _String2="BackupExecJobEngine") returned 14 [0293.181] _wcsicmp (_String1="devrdr", _String2="BackupExecJobEngine") returned 2 [0293.181] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecJobEngine") returned 10 [0293.181] _wcsicmp (_String1="server", _String2="BackupExecJobEngine") returned 17 [0293.181] _wcsicmp (_String1="svr", _String2="BackupExecJobEngine") returned 17 [0293.181] _wcsicmp (_String1="srv", _String2="BackupExecJobEngine") returned 17 [0293.181] _wcsicmp (_String1="lanmanserver", _String2="BackupExecJobEngine") returned 10 [0293.181] _wcsicmp (_String1="alerter", _String2="BackupExecJobEngine") returned -1 [0293.181] _wcsicmp (_String1="netlogon", _String2="BackupExecJobEngine") returned 12 [0293.181] _wcsupr (in: _String="BackupExecJobEngine" | out: _String="BACKUPEXECJOBENGINE") returned="BACKUPEXECJOBENGINE" [0293.181] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2540b70 [0293.184] GetServiceKeyNameW (in: hSCManager=0x2540b70, lpDisplayName="BACKUPEXECJOBENGINE", lpServiceName=0x1c8c28, lpcchBuffer=0x13f4f4 | out: lpServiceName="", lpcchBuffer=0x13f4f4) returned 0 [0293.185] _wcsicmp (_String1="msg", _String2="BACKUPEXECJOBENGINE") returned 11 [0293.185] _wcsicmp (_String1="messenger", _String2="BACKUPEXECJOBENGINE") returned 11 [0293.185] _wcsicmp (_String1="receiver", _String2="BACKUPEXECJOBENGINE") returned 16 [0293.185] _wcsicmp (_String1="rcv", _String2="BACKUPEXECJOBENGINE") returned 16 [0293.185] _wcsicmp (_String1="redirector", _String2="BACKUPEXECJOBENGINE") returned 16 [0293.185] _wcsicmp (_String1="redir", _String2="BACKUPEXECJOBENGINE") returned 16 [0293.185] _wcsicmp (_String1="rdr", _String2="BACKUPEXECJOBENGINE") returned 16 [0293.185] _wcsicmp (_String1="workstation", _String2="BACKUPEXECJOBENGINE") returned 21 [0293.185] _wcsicmp (_String1="work", _String2="BACKUPEXECJOBENGINE") returned 21 [0293.185] _wcsicmp (_String1="wksta", _String2="BACKUPEXECJOBENGINE") returned 21 [0293.185] _wcsicmp (_String1="prdr", _String2="BACKUPEXECJOBENGINE") returned 14 [0293.185] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECJOBENGINE") returned 2 [0293.186] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECJOBENGINE") returned 10 [0293.186] _wcsicmp (_String1="server", _String2="BACKUPEXECJOBENGINE") returned 17 [0293.186] _wcsicmp (_String1="svr", _String2="BACKUPEXECJOBENGINE") returned 17 [0293.186] _wcsicmp (_String1="srv", _String2="BACKUPEXECJOBENGINE") returned 17 [0293.186] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECJOBENGINE") returned 10 [0293.186] _wcsicmp (_String1="alerter", _String2="BACKUPEXECJOBENGINE") returned -1 [0293.186] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECJOBENGINE") returned 12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="WORKSTATION") returned -21 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="LanmanWorkstation") returned -10 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="SERVER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="LanmanServer") returned -10 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="BROWSER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="BROWSER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="MESSENGER") returned -11 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="MESSENGER") returned -11 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETRUN") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETRUN") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="SPOOLER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="SPOOLER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="ALERTER") returned 1 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="ALERTER") returned 1 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETLOGON") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETLOGON") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETPOPUP") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="NETPOPUP") returned -12 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="SQLSERVER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="SQLSERVER") returned -17 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="REPLICATOR") returned -16 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="REPLICATOR") returned -16 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="REMOTEBOOT") returned -16 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="REMOTEBOOT") returned -16 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="TIMESOURCE") returned -18 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="TIMESOURCE") returned -18 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="AFP") returned 1 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="AFP") returned 1 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="UPS") returned -19 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="UPS") returned -19 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="XACTSRV") returned -22 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="XACTSRV") returned -22 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="TCPIP") returned -18 [0293.186] _wcsicmp (_String1="BACKUPEXECJOBENGINE", _String2="TCPIP") returned -18 [0293.187] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2540990 [0293.187] OpenServiceW (hSCManager=0x2540990, lpServiceName="BACKUPEXECJOBENGINE", dwDesiredAccess=0x84) returned 0x0 [0293.187] GetLastError () returned 0x424 [0293.187] CloseServiceHandle (hSCObject=0x2540990) returned 1 [0293.187] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0293.187] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x170002 [0293.188] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x170002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0293.189] GetFileType (hFile=0x94) returned 0x2 [0293.189] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x13f384 | out: lpMode=0x13f384) returned 1 [0293.189] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x13f390, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x13f390*=0x1e) returned 1 [0293.190] GetFileType (hFile=0x94) returned 0x2 [0293.190] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x13f384 | out: lpMode=0x13f384) returned 1 [0293.190] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x13f390, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x13f390*=0x2) returned 1 [0293.190] _ultow (in: _Dest=0x889, _Radix=1307608 | out: _Dest=0x889) returned="2185" [0293.190] FormatMessageW (in: dwFlags=0x2800, lpSource=0x170002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0293.190] GetFileType (hFile=0x94) returned 0x2 [0293.190] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x13f3a8 | out: lpMode=0x13f3a8) returned 1 [0293.191] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x13f3b4, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x13f3b4*=0x34) returned 1 [0293.191] GetFileType (hFile=0x94) returned 0x2 [0293.191] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x13f3a8 | out: lpMode=0x13f3a8) returned 1 [0293.191] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x13f3b4, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x13f3b4*=0x2) returned 1 [0293.192] NetApiBufferFree (Buffer=0x2537cf0) returned 0x0 [0293.192] NetApiBufferFree (Buffer=0x2537e10) returned 0x0 [0293.192] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecJobEngine /y" [0293.192] exit (_Code=2) Thread: id = 220 os_tid = 0xf88 Process: id = "91" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1b59e000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecManagementService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 221 os_tid = 0x132c Thread: id = 225 os_tid = 0x1368 Process: id = "92" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1c841000" os_pid = "0x13d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "91" os_parent_pid = "0xf94" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 222 os_tid = 0x1354 Thread: id = 223 os_tid = 0x13a8 Thread: id = 224 os_tid = 0x138c Process: id = "93" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1b5c2000" os_pid = "0x10c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "91" os_parent_pid = "0xf94" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecManagementService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 226 os_tid = 0x134c [0293.734] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0293.734] __set_app_type (_Type=0x1) [0293.734] __p__fmode () returned 0x776f3c14 [0293.734] __p__commode () returned 0x776f49ec [0293.734] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0293.735] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0293.735] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0293.735] GetConsoleOutputCP () returned 0x1b5 [0293.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0293.735] SetThreadUILanguage (LangId=0x0) returned 0x2540409 [0293.738] sprintf_s (in: _DstBuf=0x238fe3c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0293.738] setlocale (category=0, locale=".437") returned="English_United States.437" [0293.740] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0293.740] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0293.740] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecManagementService /y" [0293.740] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x238fbe4, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0293.740] RtlAllocateHeap (HeapHandle=0x27c0000, Flags=0x0, Size=0x8a) returned 0x27c3920 [0293.740] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0293.740] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x238fbe0 | out: Buffer=0x238fbe0*=0x27c7d50) returned 0x0 [0293.740] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x238fbdc | out: Buffer=0x238fbdc*=0x27c7e10) returned 0x0 [0293.740] __iob_func () returned 0x776f2608 [0293.740] _fileno (_File=0x776f2608) returned 0 [0293.740] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0293.740] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0293.740] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0293.740] _wcsicmp (_String1="config", _String2="stop") returned -16 [0293.741] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0293.741] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0293.741] _wcsicmp (_String1="file", _String2="stop") returned -13 [0293.741] _wcsicmp (_String1="files", _String2="stop") returned -13 [0293.741] _wcsicmp (_String1="group", _String2="stop") returned -12 [0293.741] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0293.741] _wcsicmp (_String1="help", _String2="stop") returned -11 [0293.741] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0293.741] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0293.741] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0293.741] _wcsicmp (_String1="session", _String2="stop") returned -15 [0293.741] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0293.741] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0293.741] _wcsicmp (_String1="share", _String2="stop") returned -12 [0293.741] _wcsicmp (_String1="start", _String2="stop") returned -14 [0293.741] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0293.741] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0293.741] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0293.741] _wcsicmp (_String1="accounts", _String2="BackupExecManagementService") returned -1 [0293.741] _wcsicmp (_String1="computer", _String2="BackupExecManagementService") returned 1 [0293.741] _wcsicmp (_String1="config", _String2="BackupExecManagementService") returned 1 [0293.741] _wcsicmp (_String1="continue", _String2="BackupExecManagementService") returned 1 [0293.741] _wcsicmp (_String1="cont", _String2="BackupExecManagementService") returned 1 [0293.741] _wcsicmp (_String1="file", _String2="BackupExecManagementService") returned 4 [0293.741] _wcsicmp (_String1="files", _String2="BackupExecManagementService") returned 4 [0293.741] _wcsicmp (_String1="group", _String2="BackupExecManagementService") returned 5 [0293.741] _wcsicmp (_String1="groups", _String2="BackupExecManagementService") returned 5 [0293.741] _wcsicmp (_String1="help", _String2="BackupExecManagementService") returned 6 [0293.741] _wcsicmp (_String1="helpmsg", _String2="BackupExecManagementService") returned 6 [0293.741] _wcsicmp (_String1="localgroup", _String2="BackupExecManagementService") returned 10 [0293.741] _wcsicmp (_String1="pause", _String2="BackupExecManagementService") returned 14 [0293.741] _wcsicmp (_String1="session", _String2="BackupExecManagementService") returned 17 [0293.741] _wcsicmp (_String1="sessions", _String2="BackupExecManagementService") returned 17 [0293.741] _wcsicmp (_String1="sess", _String2="BackupExecManagementService") returned 17 [0293.741] _wcsicmp (_String1="share", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="start", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="stats", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="statistics", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="stop", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="time", _String2="BackupExecManagementService") returned 18 [0293.742] _wcsicmp (_String1="user", _String2="BackupExecManagementService") returned 19 [0293.742] _wcsicmp (_String1="users", _String2="BackupExecManagementService") returned 19 [0293.742] _wcsicmp (_String1="msg", _String2="BackupExecManagementService") returned 11 [0293.742] _wcsicmp (_String1="messenger", _String2="BackupExecManagementService") returned 11 [0293.742] _wcsicmp (_String1="receiver", _String2="BackupExecManagementService") returned 16 [0293.742] _wcsicmp (_String1="rcv", _String2="BackupExecManagementService") returned 16 [0293.742] _wcsicmp (_String1="netpopup", _String2="BackupExecManagementService") returned 12 [0293.742] _wcsicmp (_String1="redirector", _String2="BackupExecManagementService") returned 16 [0293.742] _wcsicmp (_String1="redir", _String2="BackupExecManagementService") returned 16 [0293.742] _wcsicmp (_String1="rdr", _String2="BackupExecManagementService") returned 16 [0293.742] _wcsicmp (_String1="workstation", _String2="BackupExecManagementService") returned 21 [0293.742] _wcsicmp (_String1="work", _String2="BackupExecManagementService") returned 21 [0293.742] _wcsicmp (_String1="wksta", _String2="BackupExecManagementService") returned 21 [0293.742] _wcsicmp (_String1="prdr", _String2="BackupExecManagementService") returned 14 [0293.742] _wcsicmp (_String1="devrdr", _String2="BackupExecManagementService") returned 2 [0293.742] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecManagementService") returned 10 [0293.742] _wcsicmp (_String1="server", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="svr", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="srv", _String2="BackupExecManagementService") returned 17 [0293.742] _wcsicmp (_String1="lanmanserver", _String2="BackupExecManagementService") returned 10 [0293.742] _wcsicmp (_String1="alerter", _String2="BackupExecManagementService") returned -1 [0293.742] _wcsicmp (_String1="netlogon", _String2="BackupExecManagementService") returned 12 [0293.742] _wcsupr (in: _String="BackupExecManagementService" | out: _String="BACKUPEXECMANAGEMENTSERVICE") returned="BACKUPEXECMANAGEMENTSERVICE" [0293.742] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27d0778 [0293.745] GetServiceKeyNameW (in: hSCManager=0x27d0778, lpDisplayName="BACKUPEXECMANAGEMENTSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x238fb54 | out: lpServiceName="", lpcchBuffer=0x238fb54) returned 0 [0293.746] _wcsicmp (_String1="msg", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0293.746] _wcsicmp (_String1="messenger", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0293.746] _wcsicmp (_String1="receiver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0293.746] _wcsicmp (_String1="rcv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0293.746] _wcsicmp (_String1="redirector", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0293.746] _wcsicmp (_String1="redir", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0293.746] _wcsicmp (_String1="rdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0293.746] _wcsicmp (_String1="workstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0293.746] _wcsicmp (_String1="work", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0293.746] _wcsicmp (_String1="wksta", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0293.746] _wcsicmp (_String1="prdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 14 [0293.746] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 2 [0293.746] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0293.746] _wcsicmp (_String1="server", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0293.747] _wcsicmp (_String1="svr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0293.747] _wcsicmp (_String1="srv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0293.747] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0293.747] _wcsicmp (_String1="alerter", _String2="BACKUPEXECMANAGEMENTSERVICE") returned -1 [0293.747] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="WORKSTATION") returned -21 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="LanmanWorkstation") returned -10 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="SERVER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="LanmanServer") returned -10 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="BROWSER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="BROWSER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="MESSENGER") returned -11 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="MESSENGER") returned -11 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETRUN") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETRUN") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="SPOOLER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="SPOOLER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="ALERTER") returned 1 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="ALERTER") returned 1 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETLOGON") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETLOGON") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETPOPUP") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="NETPOPUP") returned -12 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="SQLSERVER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="SQLSERVER") returned -17 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="REPLICATOR") returned -16 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="REPLICATOR") returned -16 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="REMOTEBOOT") returned -16 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="REMOTEBOOT") returned -16 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="TIMESOURCE") returned -18 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="TIMESOURCE") returned -18 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="AFP") returned 1 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="AFP") returned 1 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="UPS") returned -19 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="UPS") returned -19 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="XACTSRV") returned -22 [0293.747] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="XACTSRV") returned -22 [0293.748] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="TCPIP") returned -18 [0293.748] _wcsicmp (_String1="BACKUPEXECMANAGEMENTSERVICE", _String2="TCPIP") returned -18 [0293.748] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x27d07c8 [0293.748] OpenServiceW (hSCManager=0x27d07c8, lpServiceName="BACKUPEXECMANAGEMENTSERVICE", dwDesiredAccess=0x84) returned 0x0 [0293.748] GetLastError () returned 0x424 [0293.748] CloseServiceHandle (hSCObject=0x27d07c8) returned 1 [0293.749] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0293.749] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2760002 [0293.749] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2760002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0293.750] GetFileType (hFile=0x94) returned 0x2 [0293.750] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x238f9e4 | out: lpMode=0x238f9e4) returned 1 [0293.750] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x238f9f0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x238f9f0*=0x1e) returned 1 [0293.751] GetFileType (hFile=0x94) returned 0x2 [0293.751] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x238f9e4 | out: lpMode=0x238f9e4) returned 1 [0293.751] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x238f9f0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x238f9f0*=0x2) returned 1 [0293.751] _ultow (in: _Dest=0x889, _Radix=37288504 | out: _Dest=0x889) returned="2185" [0293.751] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2760002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0293.752] GetFileType (hFile=0x94) returned 0x2 [0293.752] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x238fa08 | out: lpMode=0x238fa08) returned 1 [0293.752] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x238fa14, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x238fa14*=0x34) returned 1 [0293.752] GetFileType (hFile=0x94) returned 0x2 [0293.752] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x238fa08 | out: lpMode=0x238fa08) returned 1 [0293.753] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x238fa14, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x238fa14*=0x2) returned 1 [0293.753] NetApiBufferFree (Buffer=0x27c7d50) returned 0x0 [0293.753] NetApiBufferFree (Buffer=0x27c7e10) returned 0x0 [0293.753] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecManagementService /y" [0293.753] exit (_Code=2) Thread: id = 227 os_tid = 0x1370 Process: id = "94" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6023000" os_pid = "0x136c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop BackupExecRPCService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 228 os_tid = 0x11d0 Thread: id = 232 os_tid = 0x1214 Process: id = "95" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59104000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x136c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 229 os_tid = 0x12b0 Thread: id = 230 os_tid = 0x13ac Thread: id = 231 os_tid = 0x1310 Process: id = "96" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x15101000" os_pid = "0x1348" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x136c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BackupExecRPCService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 233 os_tid = 0x1190 [0294.118] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0294.118] __set_app_type (_Type=0x1) [0294.118] __p__fmode () returned 0x776f3c14 [0294.118] __p__commode () returned 0x776f49ec [0294.118] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0294.118] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0294.118] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0294.118] GetConsoleOutputCP () returned 0x1b5 [0294.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0294.119] SetThreadUILanguage (LangId=0x0) returned 0x30a0409 [0294.122] sprintf_s (in: _DstBuf=0x2f9fe2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0294.122] setlocale (category=0, locale=".437") returned="English_United States.437" [0294.124] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0294.124] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0294.124] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecRPCService /y" [0294.124] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f9fbd4, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0294.124] RtlAllocateHeap (HeapHandle=0x3560000, Flags=0x0, Size=0x7c) returned 0x35645b0 [0294.124] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0294.124] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f9fbd0 | out: Buffer=0x2f9fbd0*=0x3567dd0) returned 0x0 [0294.124] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f9fbcc | out: Buffer=0x2f9fbcc*=0x3567de8) returned 0x0 [0294.124] __iob_func () returned 0x776f2608 [0294.124] _fileno (_File=0x776f2608) returned 0 [0294.124] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0294.124] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0294.124] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0294.124] _wcsicmp (_String1="config", _String2="stop") returned -16 [0294.124] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0294.124] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0294.124] _wcsicmp (_String1="file", _String2="stop") returned -13 [0294.124] _wcsicmp (_String1="files", _String2="stop") returned -13 [0294.124] _wcsicmp (_String1="group", _String2="stop") returned -12 [0294.124] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0294.124] _wcsicmp (_String1="help", _String2="stop") returned -11 [0294.124] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0294.124] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0294.125] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0294.125] _wcsicmp (_String1="session", _String2="stop") returned -15 [0294.125] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0294.125] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0294.125] _wcsicmp (_String1="share", _String2="stop") returned -12 [0294.125] _wcsicmp (_String1="start", _String2="stop") returned -14 [0294.125] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0294.125] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0294.125] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0294.125] _wcsicmp (_String1="accounts", _String2="BackupExecRPCService") returned -1 [0294.125] _wcsicmp (_String1="computer", _String2="BackupExecRPCService") returned 1 [0294.125] _wcsicmp (_String1="config", _String2="BackupExecRPCService") returned 1 [0294.125] _wcsicmp (_String1="continue", _String2="BackupExecRPCService") returned 1 [0294.125] _wcsicmp (_String1="cont", _String2="BackupExecRPCService") returned 1 [0294.125] _wcsicmp (_String1="file", _String2="BackupExecRPCService") returned 4 [0294.125] _wcsicmp (_String1="files", _String2="BackupExecRPCService") returned 4 [0294.125] _wcsicmp (_String1="group", _String2="BackupExecRPCService") returned 5 [0294.125] _wcsicmp (_String1="groups", _String2="BackupExecRPCService") returned 5 [0294.125] _wcsicmp (_String1="help", _String2="BackupExecRPCService") returned 6 [0294.125] _wcsicmp (_String1="helpmsg", _String2="BackupExecRPCService") returned 6 [0294.125] _wcsicmp (_String1="localgroup", _String2="BackupExecRPCService") returned 10 [0294.125] _wcsicmp (_String1="pause", _String2="BackupExecRPCService") returned 14 [0294.125] _wcsicmp (_String1="session", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="sessions", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="sess", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="share", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="start", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="stats", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="statistics", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="stop", _String2="BackupExecRPCService") returned 17 [0294.125] _wcsicmp (_String1="time", _String2="BackupExecRPCService") returned 18 [0294.125] _wcsicmp (_String1="user", _String2="BackupExecRPCService") returned 19 [0294.125] _wcsicmp (_String1="users", _String2="BackupExecRPCService") returned 19 [0294.125] _wcsicmp (_String1="msg", _String2="BackupExecRPCService") returned 11 [0294.125] _wcsicmp (_String1="messenger", _String2="BackupExecRPCService") returned 11 [0294.125] _wcsicmp (_String1="receiver", _String2="BackupExecRPCService") returned 16 [0294.126] _wcsicmp (_String1="rcv", _String2="BackupExecRPCService") returned 16 [0294.126] _wcsicmp (_String1="netpopup", _String2="BackupExecRPCService") returned 12 [0294.126] _wcsicmp (_String1="redirector", _String2="BackupExecRPCService") returned 16 [0294.126] _wcsicmp (_String1="redir", _String2="BackupExecRPCService") returned 16 [0294.126] _wcsicmp (_String1="rdr", _String2="BackupExecRPCService") returned 16 [0294.126] _wcsicmp (_String1="workstation", _String2="BackupExecRPCService") returned 21 [0294.126] _wcsicmp (_String1="work", _String2="BackupExecRPCService") returned 21 [0294.126] _wcsicmp (_String1="wksta", _String2="BackupExecRPCService") returned 21 [0294.126] _wcsicmp (_String1="prdr", _String2="BackupExecRPCService") returned 14 [0294.126] _wcsicmp (_String1="devrdr", _String2="BackupExecRPCService") returned 2 [0294.126] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecRPCService") returned 10 [0294.126] _wcsicmp (_String1="server", _String2="BackupExecRPCService") returned 17 [0294.126] _wcsicmp (_String1="svr", _String2="BackupExecRPCService") returned 17 [0294.126] _wcsicmp (_String1="srv", _String2="BackupExecRPCService") returned 17 [0294.126] _wcsicmp (_String1="lanmanserver", _String2="BackupExecRPCService") returned 10 [0294.126] _wcsicmp (_String1="alerter", _String2="BackupExecRPCService") returned -1 [0294.126] _wcsicmp (_String1="netlogon", _String2="BackupExecRPCService") returned 12 [0294.126] _wcsupr (in: _String="BackupExecRPCService" | out: _String="BACKUPEXECRPCSERVICE") returned="BACKUPEXECRPCSERVICE" [0294.126] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3570b00 [0294.129] GetServiceKeyNameW (in: hSCManager=0x3570b00, lpDisplayName="BACKUPEXECRPCSERVICE", lpServiceName=0x1c8c28, lpcchBuffer=0x2f9fb44 | out: lpServiceName="", lpcchBuffer=0x2f9fb44) returned 0 [0294.130] _wcsicmp (_String1="msg", _String2="BACKUPEXECRPCSERVICE") returned 11 [0294.130] _wcsicmp (_String1="messenger", _String2="BACKUPEXECRPCSERVICE") returned 11 [0294.130] _wcsicmp (_String1="receiver", _String2="BACKUPEXECRPCSERVICE") returned 16 [0294.130] _wcsicmp (_String1="rcv", _String2="BACKUPEXECRPCSERVICE") returned 16 [0294.130] _wcsicmp (_String1="redirector", _String2="BACKUPEXECRPCSERVICE") returned 16 [0294.130] _wcsicmp (_String1="redir", _String2="BACKUPEXECRPCSERVICE") returned 16 [0294.130] _wcsicmp (_String1="rdr", _String2="BACKUPEXECRPCSERVICE") returned 16 [0294.130] _wcsicmp (_String1="workstation", _String2="BACKUPEXECRPCSERVICE") returned 21 [0294.130] _wcsicmp (_String1="work", _String2="BACKUPEXECRPCSERVICE") returned 21 [0294.130] _wcsicmp (_String1="wksta", _String2="BACKUPEXECRPCSERVICE") returned 21 [0294.130] _wcsicmp (_String1="prdr", _String2="BACKUPEXECRPCSERVICE") returned 14 [0294.130] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECRPCSERVICE") returned 2 [0294.130] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECRPCSERVICE") returned 10 [0294.130] _wcsicmp (_String1="server", _String2="BACKUPEXECRPCSERVICE") returned 17 [0294.130] _wcsicmp (_String1="svr", _String2="BACKUPEXECRPCSERVICE") returned 17 [0294.130] _wcsicmp (_String1="srv", _String2="BACKUPEXECRPCSERVICE") returned 17 [0294.130] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECRPCSERVICE") returned 10 [0294.130] _wcsicmp (_String1="alerter", _String2="BACKUPEXECRPCSERVICE") returned -1 [0294.130] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECRPCSERVICE") returned 12 [0294.130] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="WORKSTATION") returned -21 [0294.130] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="LanmanWorkstation") returned -10 [0294.130] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="SERVER") returned -17 [0294.130] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="LanmanServer") returned -10 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="BROWSER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="BROWSER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="MESSENGER") returned -11 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="MESSENGER") returned -11 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETRUN") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETRUN") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="SPOOLER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="SPOOLER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="ALERTER") returned 1 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="ALERTER") returned 1 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETLOGON") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETLOGON") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETPOPUP") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="NETPOPUP") returned -12 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="SQLSERVER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="SQLSERVER") returned -17 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="REPLICATOR") returned -16 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="REPLICATOR") returned -16 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="REMOTEBOOT") returned -16 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="REMOTEBOOT") returned -16 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="TIMESOURCE") returned -18 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="TIMESOURCE") returned -18 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="AFP") returned 1 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="AFP") returned 1 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="UPS") returned -19 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="UPS") returned -19 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="XACTSRV") returned -22 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="XACTSRV") returned -22 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="TCPIP") returned -18 [0294.131] _wcsicmp (_String1="BACKUPEXECRPCSERVICE", _String2="TCPIP") returned -18 [0294.131] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3570948 [0294.132] OpenServiceW (hSCManager=0x3570948, lpServiceName="BACKUPEXECRPCSERVICE", dwDesiredAccess=0x84) returned 0x0 [0294.132] GetLastError () returned 0x424 [0294.132] CloseServiceHandle (hSCObject=0x3570948) returned 1 [0294.132] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0294.132] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2fd0002 [0294.133] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2fd0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0294.133] GetFileType (hFile=0x94) returned 0x2 [0294.134] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f9f9d4 | out: lpMode=0x2f9f9d4) returned 1 [0294.134] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2f9f9e0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f9f9e0*=0x1e) returned 1 [0294.134] GetFileType (hFile=0x94) returned 0x2 [0294.134] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f9f9d4 | out: lpMode=0x2f9f9d4) returned 1 [0294.135] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f9f9e0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f9f9e0*=0x2) returned 1 [0294.135] _ultow (in: _Dest=0x889, _Radix=49936936 | out: _Dest=0x889) returned="2185" [0294.135] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2fd0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0294.135] GetFileType (hFile=0x94) returned 0x2 [0294.135] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f9f9f8 | out: lpMode=0x2f9f9f8) returned 1 [0294.135] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2f9fa04, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f9fa04*=0x34) returned 1 [0294.136] GetFileType (hFile=0x94) returned 0x2 [0294.136] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f9f9f8 | out: lpMode=0x2f9f9f8) returned 1 [0294.136] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f9fa04, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f9fa04*=0x2) returned 1 [0294.136] NetApiBufferFree (Buffer=0x3567dd0) returned 0x0 [0294.137] NetApiBufferFree (Buffer=0x3567de8) returned 0x0 [0294.137] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BackupExecRPCService /y" [0294.137] exit (_Code=2) Thread: id = 234 os_tid = 0xd98 Process: id = "97" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0xb3a8000" os_pid = "0xa28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop AcrSch2Svc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 235 os_tid = 0x1130 Thread: id = 239 os_tid = 0x126c Process: id = "98" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6bdfb000" os_pid = "0x390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "97" os_parent_pid = "0xa28" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 236 os_tid = 0x118c Thread: id = 237 os_tid = 0x13e0 Thread: id = 238 os_tid = 0x1324 Process: id = "99" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0xbafa000" os_pid = "0x1218" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "97" os_parent_pid = "0xa28" cmd_line = "C:\\WINDOWS\\system32\\net1 stop AcrSch2Svc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 240 os_tid = 0x1358 [0294.518] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0294.520] __set_app_type (_Type=0x1) [0294.520] __p__fmode () returned 0x776f3c14 [0294.520] __p__commode () returned 0x776f49ec [0294.520] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0294.520] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0294.520] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0294.520] GetConsoleOutputCP () returned 0x1b5 [0294.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0294.521] SetThreadUILanguage (LangId=0x0) returned 0x2af0409 [0294.523] sprintf_s (in: _DstBuf=0x2cbf93c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0294.523] setlocale (category=0, locale=".437") returned="English_United States.437" [0294.525] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0294.525] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0294.525] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop AcrSch2Svc /y" [0294.525] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cbf6e4, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0294.525] RtlAllocateHeap (HeapHandle=0x2ce0000, Flags=0x0, Size=0x68) returned 0x2ce7878 [0294.525] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0294.525] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cbf6e0 | out: Buffer=0x2cbf6e0*=0x2ce84d0) returned 0x0 [0294.525] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cbf6dc | out: Buffer=0x2cbf6dc*=0x2ce8530) returned 0x0 [0294.525] __iob_func () returned 0x776f2608 [0294.525] _fileno (_File=0x776f2608) returned 0 [0294.525] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0294.525] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0294.525] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0294.525] _wcsicmp (_String1="config", _String2="stop") returned -16 [0294.525] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0294.525] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0294.525] _wcsicmp (_String1="file", _String2="stop") returned -13 [0294.526] _wcsicmp (_String1="files", _String2="stop") returned -13 [0294.526] _wcsicmp (_String1="group", _String2="stop") returned -12 [0294.526] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0294.526] _wcsicmp (_String1="help", _String2="stop") returned -11 [0294.526] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0294.526] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0294.526] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0294.526] _wcsicmp (_String1="session", _String2="stop") returned -15 [0294.526] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0294.526] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0294.526] _wcsicmp (_String1="share", _String2="stop") returned -12 [0294.526] _wcsicmp (_String1="start", _String2="stop") returned -14 [0294.526] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0294.526] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0294.526] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0294.526] _wcsicmp (_String1="accounts", _String2="AcrSch2Svc") returned -15 [0294.526] _wcsicmp (_String1="computer", _String2="AcrSch2Svc") returned 2 [0294.526] _wcsicmp (_String1="config", _String2="AcrSch2Svc") returned 2 [0294.526] _wcsicmp (_String1="continue", _String2="AcrSch2Svc") returned 2 [0294.526] _wcsicmp (_String1="cont", _String2="AcrSch2Svc") returned 2 [0294.526] _wcsicmp (_String1="file", _String2="AcrSch2Svc") returned 5 [0294.526] _wcsicmp (_String1="files", _String2="AcrSch2Svc") returned 5 [0294.526] _wcsicmp (_String1="group", _String2="AcrSch2Svc") returned 6 [0294.526] _wcsicmp (_String1="groups", _String2="AcrSch2Svc") returned 6 [0294.526] _wcsicmp (_String1="help", _String2="AcrSch2Svc") returned 7 [0294.526] _wcsicmp (_String1="helpmsg", _String2="AcrSch2Svc") returned 7 [0294.526] _wcsicmp (_String1="localgroup", _String2="AcrSch2Svc") returned 11 [0294.526] _wcsicmp (_String1="pause", _String2="AcrSch2Svc") returned 15 [0294.526] _wcsicmp (_String1="session", _String2="AcrSch2Svc") returned 18 [0294.526] _wcsicmp (_String1="sessions", _String2="AcrSch2Svc") returned 18 [0294.526] _wcsicmp (_String1="sess", _String2="AcrSch2Svc") returned 18 [0294.526] _wcsicmp (_String1="share", _String2="AcrSch2Svc") returned 18 [0294.526] _wcsicmp (_String1="start", _String2="AcrSch2Svc") returned 18 [0294.526] _wcsicmp (_String1="stats", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="statistics", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="stop", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="time", _String2="AcrSch2Svc") returned 19 [0294.527] _wcsicmp (_String1="user", _String2="AcrSch2Svc") returned 20 [0294.527] _wcsicmp (_String1="users", _String2="AcrSch2Svc") returned 20 [0294.527] _wcsicmp (_String1="msg", _String2="AcrSch2Svc") returned 12 [0294.527] _wcsicmp (_String1="messenger", _String2="AcrSch2Svc") returned 12 [0294.527] _wcsicmp (_String1="receiver", _String2="AcrSch2Svc") returned 17 [0294.527] _wcsicmp (_String1="rcv", _String2="AcrSch2Svc") returned 17 [0294.527] _wcsicmp (_String1="netpopup", _String2="AcrSch2Svc") returned 13 [0294.527] _wcsicmp (_String1="redirector", _String2="AcrSch2Svc") returned 17 [0294.527] _wcsicmp (_String1="redir", _String2="AcrSch2Svc") returned 17 [0294.527] _wcsicmp (_String1="rdr", _String2="AcrSch2Svc") returned 17 [0294.527] _wcsicmp (_String1="workstation", _String2="AcrSch2Svc") returned 22 [0294.527] _wcsicmp (_String1="work", _String2="AcrSch2Svc") returned 22 [0294.527] _wcsicmp (_String1="wksta", _String2="AcrSch2Svc") returned 22 [0294.527] _wcsicmp (_String1="prdr", _String2="AcrSch2Svc") returned 15 [0294.527] _wcsicmp (_String1="devrdr", _String2="AcrSch2Svc") returned 3 [0294.527] _wcsicmp (_String1="lanmanworkstation", _String2="AcrSch2Svc") returned 11 [0294.527] _wcsicmp (_String1="server", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="svr", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="srv", _String2="AcrSch2Svc") returned 18 [0294.527] _wcsicmp (_String1="lanmanserver", _String2="AcrSch2Svc") returned 11 [0294.527] _wcsicmp (_String1="alerter", _String2="AcrSch2Svc") returned 9 [0294.527] _wcsicmp (_String1="netlogon", _String2="AcrSch2Svc") returned 13 [0294.527] _wcsupr (in: _String="AcrSch2Svc" | out: _String="ACRSCH2SVC") returned="ACRSCH2SVC" [0294.527] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2cf0a20 [0294.530] GetServiceKeyNameW (in: hSCManager=0x2cf0a20, lpDisplayName="ACRSCH2SVC", lpServiceName=0x1c8c28, lpcchBuffer=0x2cbf654 | out: lpServiceName="", lpcchBuffer=0x2cbf654) returned 0 [0294.531] _wcsicmp (_String1="msg", _String2="ACRSCH2SVC") returned 12 [0294.531] _wcsicmp (_String1="messenger", _String2="ACRSCH2SVC") returned 12 [0294.531] _wcsicmp (_String1="receiver", _String2="ACRSCH2SVC") returned 17 [0294.531] _wcsicmp (_String1="rcv", _String2="ACRSCH2SVC") returned 17 [0294.531] _wcsicmp (_String1="redirector", _String2="ACRSCH2SVC") returned 17 [0294.531] _wcsicmp (_String1="redir", _String2="ACRSCH2SVC") returned 17 [0294.531] _wcsicmp (_String1="rdr", _String2="ACRSCH2SVC") returned 17 [0294.531] _wcsicmp (_String1="workstation", _String2="ACRSCH2SVC") returned 22 [0294.531] _wcsicmp (_String1="work", _String2="ACRSCH2SVC") returned 22 [0294.531] _wcsicmp (_String1="wksta", _String2="ACRSCH2SVC") returned 22 [0294.531] _wcsicmp (_String1="prdr", _String2="ACRSCH2SVC") returned 15 [0294.531] _wcsicmp (_String1="devrdr", _String2="ACRSCH2SVC") returned 3 [0294.531] _wcsicmp (_String1="lanmanworkstation", _String2="ACRSCH2SVC") returned 11 [0294.531] _wcsicmp (_String1="server", _String2="ACRSCH2SVC") returned 18 [0294.531] _wcsicmp (_String1="svr", _String2="ACRSCH2SVC") returned 18 [0294.531] _wcsicmp (_String1="srv", _String2="ACRSCH2SVC") returned 18 [0294.531] _wcsicmp (_String1="lanmanserver", _String2="ACRSCH2SVC") returned 11 [0294.531] _wcsicmp (_String1="alerter", _String2="ACRSCH2SVC") returned 9 [0294.531] _wcsicmp (_String1="netlogon", _String2="ACRSCH2SVC") returned 13 [0294.531] _wcsicmp (_String1="ACRSCH2SVC", _String2="WORKSTATION") returned -22 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="LanmanWorkstation") returned -11 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="SERVER") returned -18 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="LanmanServer") returned -11 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="BROWSER") returned -1 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="BROWSER") returned -1 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="MESSENGER") returned -12 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="MESSENGER") returned -12 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETRUN") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETRUN") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="SPOOLER") returned -18 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="SPOOLER") returned -18 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="ALERTER") returned -9 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="ALERTER") returned -9 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETLOGON") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETLOGON") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETPOPUP") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="NETPOPUP") returned -13 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="SQLSERVER") returned -18 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="SQLSERVER") returned -18 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="REPLICATOR") returned -17 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="REPLICATOR") returned -17 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="REMOTEBOOT") returned -17 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="REMOTEBOOT") returned -17 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="TIMESOURCE") returned -19 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="TIMESOURCE") returned -19 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="AFP") returned -3 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="AFP") returned -3 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="UPS") returned -20 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="UPS") returned -20 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="XACTSRV") returned -23 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="XACTSRV") returned -23 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="TCPIP") returned -19 [0294.532] _wcsicmp (_String1="ACRSCH2SVC", _String2="TCPIP") returned -19 [0294.532] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2cf0a48 [0294.533] OpenServiceW (hSCManager=0x2cf0a48, lpServiceName="ACRSCH2SVC", dwDesiredAccess=0x84) returned 0x0 [0294.533] GetLastError () returned 0x424 [0294.536] CloseServiceHandle (hSCObject=0x2cf0a48) returned 1 [0294.537] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0294.537] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2cd0002 [0294.537] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2cd0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0294.538] GetFileType (hFile=0x94) returned 0x2 [0294.538] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf4e4 | out: lpMode=0x2cbf4e4) returned 1 [0294.538] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2cbf4f0, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cbf4f0*=0x1e) returned 1 [0294.539] GetFileType (hFile=0x94) returned 0x2 [0294.539] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf4e4 | out: lpMode=0x2cbf4e4) returned 1 [0294.539] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cbf4f0, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cbf4f0*=0x2) returned 1 [0294.539] _ultow (in: _Dest=0x889, _Radix=46921016 | out: _Dest=0x889) returned="2185" [0294.539] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2cd0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0294.540] GetFileType (hFile=0x94) returned 0x2 [0294.540] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf508 | out: lpMode=0x2cbf508) returned 1 [0294.540] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2cbf514, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2cbf514*=0x34) returned 1 [0294.540] GetFileType (hFile=0x94) returned 0x2 [0294.540] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2cbf508 | out: lpMode=0x2cbf508) returned 1 [0294.540] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2cbf514, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2cbf514*=0x2) returned 1 [0294.541] NetApiBufferFree (Buffer=0x2ce84d0) returned 0x0 [0294.541] NetApiBufferFree (Buffer=0x2ce8530) returned 0x0 [0294.541] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop AcrSch2Svc /y" [0294.541] exit (_Code=2) Thread: id = 241 os_tid = 0x1350 Process: id = "100" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5acab000" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop AcronisAgent /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 242 os_tid = 0x1104 Thread: id = 246 os_tid = 0x13c4 Process: id = "101" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x18e13000" os_pid = "0x1328" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "100" os_parent_pid = "0xc1c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 243 os_tid = 0x1388 Thread: id = 244 os_tid = 0x13d8 Thread: id = 245 os_tid = 0x10c8 Process: id = "102" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x15191000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "100" os_parent_pid = "0xc1c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop AcronisAgent /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 247 os_tid = 0x123c [0294.989] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0294.989] __set_app_type (_Type=0x1) [0294.989] __p__fmode () returned 0x776f3c14 [0294.989] __p__commode () returned 0x776f49ec [0294.989] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0294.990] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0294.990] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0294.990] GetConsoleOutputCP () returned 0x1b5 [0294.990] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0294.990] SetThreadUILanguage (LangId=0x0) returned 0x30d0409 [0294.993] sprintf_s (in: _DstBuf=0x2f4f970, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0294.993] setlocale (category=0, locale=".437") returned="English_United States.437" [0294.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0294.995] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0294.995] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop AcronisAgent /y" [0294.995] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f4f718, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0294.995] RtlAllocateHeap (HeapHandle=0x34c0000, Flags=0x0, Size=0x6c) returned 0x34c3f20 [0294.995] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0294.995] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f4f714 | out: Buffer=0x2f4f714*=0x34c8580) returned 0x0 [0294.995] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f4f710 | out: Buffer=0x2f4f710*=0x34c8610) returned 0x0 [0294.995] __iob_func () returned 0x776f2608 [0294.995] _fileno (_File=0x776f2608) returned 0 [0294.995] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0294.996] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0294.996] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0294.996] _wcsicmp (_String1="config", _String2="stop") returned -16 [0294.996] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0294.996] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0294.996] _wcsicmp (_String1="file", _String2="stop") returned -13 [0294.996] _wcsicmp (_String1="files", _String2="stop") returned -13 [0294.996] _wcsicmp (_String1="group", _String2="stop") returned -12 [0294.996] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0294.996] _wcsicmp (_String1="help", _String2="stop") returned -11 [0294.996] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0294.996] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0294.996] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0294.996] _wcsicmp (_String1="session", _String2="stop") returned -15 [0294.996] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0294.996] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0294.996] _wcsicmp (_String1="share", _String2="stop") returned -12 [0294.996] _wcsicmp (_String1="start", _String2="stop") returned -14 [0294.996] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0294.996] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0294.996] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0294.996] _wcsicmp (_String1="accounts", _String2="AcronisAgent") returned -15 [0294.996] _wcsicmp (_String1="computer", _String2="AcronisAgent") returned 2 [0294.996] _wcsicmp (_String1="config", _String2="AcronisAgent") returned 2 [0294.996] _wcsicmp (_String1="continue", _String2="AcronisAgent") returned 2 [0294.996] _wcsicmp (_String1="cont", _String2="AcronisAgent") returned 2 [0294.996] _wcsicmp (_String1="file", _String2="AcronisAgent") returned 5 [0294.996] _wcsicmp (_String1="files", _String2="AcronisAgent") returned 5 [0294.996] _wcsicmp (_String1="group", _String2="AcronisAgent") returned 6 [0294.996] _wcsicmp (_String1="groups", _String2="AcronisAgent") returned 6 [0294.996] _wcsicmp (_String1="help", _String2="AcronisAgent") returned 7 [0294.996] _wcsicmp (_String1="helpmsg", _String2="AcronisAgent") returned 7 [0294.996] _wcsicmp (_String1="localgroup", _String2="AcronisAgent") returned 11 [0294.996] _wcsicmp (_String1="pause", _String2="AcronisAgent") returned 15 [0294.997] _wcsicmp (_String1="session", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="sessions", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="sess", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="share", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="start", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="stats", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="statistics", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="stop", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="time", _String2="AcronisAgent") returned 19 [0294.997] _wcsicmp (_String1="user", _String2="AcronisAgent") returned 20 [0294.997] _wcsicmp (_String1="users", _String2="AcronisAgent") returned 20 [0294.997] _wcsicmp (_String1="msg", _String2="AcronisAgent") returned 12 [0294.997] _wcsicmp (_String1="messenger", _String2="AcronisAgent") returned 12 [0294.997] _wcsicmp (_String1="receiver", _String2="AcronisAgent") returned 17 [0294.997] _wcsicmp (_String1="rcv", _String2="AcronisAgent") returned 17 [0294.997] _wcsicmp (_String1="netpopup", _String2="AcronisAgent") returned 13 [0294.997] _wcsicmp (_String1="redirector", _String2="AcronisAgent") returned 17 [0294.997] _wcsicmp (_String1="redir", _String2="AcronisAgent") returned 17 [0294.997] _wcsicmp (_String1="rdr", _String2="AcronisAgent") returned 17 [0294.997] _wcsicmp (_String1="workstation", _String2="AcronisAgent") returned 22 [0294.997] _wcsicmp (_String1="work", _String2="AcronisAgent") returned 22 [0294.997] _wcsicmp (_String1="wksta", _String2="AcronisAgent") returned 22 [0294.997] _wcsicmp (_String1="prdr", _String2="AcronisAgent") returned 15 [0294.997] _wcsicmp (_String1="devrdr", _String2="AcronisAgent") returned 3 [0294.997] _wcsicmp (_String1="lanmanworkstation", _String2="AcronisAgent") returned 11 [0294.997] _wcsicmp (_String1="server", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="svr", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="srv", _String2="AcronisAgent") returned 18 [0294.997] _wcsicmp (_String1="lanmanserver", _String2="AcronisAgent") returned 11 [0294.997] _wcsicmp (_String1="alerter", _String2="AcronisAgent") returned 9 [0294.997] _wcsicmp (_String1="netlogon", _String2="AcronisAgent") returned 13 [0294.997] _wcsupr (in: _String="AcronisAgent" | out: _String="ACRONISAGENT") returned="ACRONISAGENT" [0294.997] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34d0a80 [0295.000] GetServiceKeyNameW (in: hSCManager=0x34d0a80, lpDisplayName="ACRONISAGENT", lpServiceName=0x1c8c28, lpcchBuffer=0x2f4f684 | out: lpServiceName="", lpcchBuffer=0x2f4f684) returned 0 [0295.001] _wcsicmp (_String1="msg", _String2="ACRONISAGENT") returned 12 [0295.001] _wcsicmp (_String1="messenger", _String2="ACRONISAGENT") returned 12 [0295.001] _wcsicmp (_String1="receiver", _String2="ACRONISAGENT") returned 17 [0295.001] _wcsicmp (_String1="rcv", _String2="ACRONISAGENT") returned 17 [0295.001] _wcsicmp (_String1="redirector", _String2="ACRONISAGENT") returned 17 [0295.001] _wcsicmp (_String1="redir", _String2="ACRONISAGENT") returned 17 [0295.001] _wcsicmp (_String1="rdr", _String2="ACRONISAGENT") returned 17 [0295.001] _wcsicmp (_String1="workstation", _String2="ACRONISAGENT") returned 22 [0295.001] _wcsicmp (_String1="work", _String2="ACRONISAGENT") returned 22 [0295.001] _wcsicmp (_String1="wksta", _String2="ACRONISAGENT") returned 22 [0295.001] _wcsicmp (_String1="prdr", _String2="ACRONISAGENT") returned 15 [0295.001] _wcsicmp (_String1="devrdr", _String2="ACRONISAGENT") returned 3 [0295.001] _wcsicmp (_String1="lanmanworkstation", _String2="ACRONISAGENT") returned 11 [0295.001] _wcsicmp (_String1="server", _String2="ACRONISAGENT") returned 18 [0295.001] _wcsicmp (_String1="svr", _String2="ACRONISAGENT") returned 18 [0295.002] _wcsicmp (_String1="srv", _String2="ACRONISAGENT") returned 18 [0295.002] _wcsicmp (_String1="lanmanserver", _String2="ACRONISAGENT") returned 11 [0295.002] _wcsicmp (_String1="alerter", _String2="ACRONISAGENT") returned 9 [0295.002] _wcsicmp (_String1="netlogon", _String2="ACRONISAGENT") returned 13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="WORKSTATION") returned -22 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="LanmanWorkstation") returned -11 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="SERVER") returned -18 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="LanmanServer") returned -11 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="BROWSER") returned -1 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="BROWSER") returned -1 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="MESSENGER") returned -12 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="MESSENGER") returned -12 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETRUN") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETRUN") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="SPOOLER") returned -18 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="SPOOLER") returned -18 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="ALERTER") returned -9 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="ALERTER") returned -9 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETLOGON") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETLOGON") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETPOPUP") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="NETPOPUP") returned -13 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="SQLSERVER") returned -18 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="SQLSERVER") returned -18 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="REPLICATOR") returned -17 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="REPLICATOR") returned -17 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="REMOTEBOOT") returned -17 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="REMOTEBOOT") returned -17 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="TIMESOURCE") returned -19 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="TIMESOURCE") returned -19 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="AFP") returned -3 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="AFP") returned -3 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="UPS") returned -20 [0295.002] _wcsicmp (_String1="ACRONISAGENT", _String2="UPS") returned -20 [0295.003] _wcsicmp (_String1="ACRONISAGENT", _String2="XACTSRV") returned -23 [0295.003] _wcsicmp (_String1="ACRONISAGENT", _String2="XACTSRV") returned -23 [0295.003] _wcsicmp (_String1="ACRONISAGENT", _String2="TCPIP") returned -19 [0295.003] _wcsicmp (_String1="ACRONISAGENT", _String2="TCPIP") returned -19 [0295.003] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x34d08a0 [0295.003] OpenServiceW (hSCManager=0x34d08a0, lpServiceName="ACRONISAGENT", dwDesiredAccess=0x84) returned 0x0 [0295.003] GetLastError () returned 0x424 [0295.003] CloseServiceHandle (hSCObject=0x34d08a0) returned 1 [0295.004] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0295.004] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2fc0002 [0295.004] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2fc0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0295.005] GetFileType (hFile=0x94) returned 0x2 [0295.005] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f4f514 | out: lpMode=0x2f4f514) returned 1 [0295.005] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2f4f520, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f4f520*=0x1e) returned 1 [0295.006] GetFileType (hFile=0x94) returned 0x2 [0295.006] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f4f514 | out: lpMode=0x2f4f514) returned 1 [0295.006] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f4f520, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f4f520*=0x2) returned 1 [0295.006] _ultow (in: _Dest=0x889, _Radix=49608040 | out: _Dest=0x889) returned="2185" [0295.006] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2fc0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0295.007] GetFileType (hFile=0x94) returned 0x2 [0295.007] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f4f538 | out: lpMode=0x2f4f538) returned 1 [0295.007] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2f4f544, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f4f544*=0x34) returned 1 [0295.007] GetFileType (hFile=0x94) returned 0x2 [0295.007] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f4f538 | out: lpMode=0x2f4f538) returned 1 [0295.007] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f4f544, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f4f544*=0x2) returned 1 [0295.008] NetApiBufferFree (Buffer=0x34c8580) returned 0x0 [0295.008] NetApiBufferFree (Buffer=0x34c8610) returned 0x0 [0295.008] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop AcronisAgent /y" [0295.008] exit (_Code=2) Thread: id = 248 os_tid = 0x1164 Process: id = "103" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x87b0000" os_pid = "0xfe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop CASAD2DWebSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 249 os_tid = 0x10a0 Thread: id = 253 os_tid = 0x13dc Process: id = "104" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xb02e000" os_pid = "0x13f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "103" os_parent_pid = "0xfe8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 250 os_tid = 0x1340 Thread: id = 251 os_tid = 0x790 Thread: id = 252 os_tid = 0x10bc Process: id = "105" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x781ac000" os_pid = "0x10f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "103" os_parent_pid = "0xfe8" cmd_line = "C:\\WINDOWS\\system32\\net1 stop CASAD2DWebSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 254 os_tid = 0x1090 [0295.417] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0295.417] __set_app_type (_Type=0x1) [0295.417] __p__fmode () returned 0x776f3c14 [0295.417] __p__commode () returned 0x776f49ec [0295.417] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0295.417] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0295.417] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0295.417] GetConsoleOutputCP () returned 0x1b5 [0295.418] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0295.418] SetThreadUILanguage (LangId=0x0) returned 0x3030409 [0295.421] sprintf_s (in: _DstBuf=0x327fda4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0295.421] setlocale (category=0, locale=".437") returned="English_United States.437" [0295.422] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0295.422] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0295.422] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop CASAD2DWebSvc /y" [0295.422] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x327fb4c, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0295.422] RtlAllocateHeap (HeapHandle=0x3490000, Flags=0x0, Size=0x6e) returned 0x34943a0 [0295.423] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0295.423] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x327fb48 | out: Buffer=0x327fb48*=0x34984d8) returned 0x0 [0295.423] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x327fb44 | out: Buffer=0x327fb44*=0x3498508) returned 0x0 [0295.423] __iob_func () returned 0x776f2608 [0295.423] _fileno (_File=0x776f2608) returned 0 [0295.423] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0295.423] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0295.423] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0295.423] _wcsicmp (_String1="config", _String2="stop") returned -16 [0295.423] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0295.423] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0295.423] _wcsicmp (_String1="file", _String2="stop") returned -13 [0295.423] _wcsicmp (_String1="files", _String2="stop") returned -13 [0295.423] _wcsicmp (_String1="group", _String2="stop") returned -12 [0295.423] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0295.423] _wcsicmp (_String1="help", _String2="stop") returned -11 [0295.423] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0295.423] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0295.423] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0295.423] _wcsicmp (_String1="session", _String2="stop") returned -15 [0295.423] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0295.423] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0295.423] _wcsicmp (_String1="share", _String2="stop") returned -12 [0295.423] _wcsicmp (_String1="start", _String2="stop") returned -14 [0295.423] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0295.423] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0295.423] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0295.423] _wcsicmp (_String1="accounts", _String2="CASAD2DWebSvc") returned -2 [0295.423] _wcsicmp (_String1="computer", _String2="CASAD2DWebSvc") returned 14 [0295.424] _wcsicmp (_String1="config", _String2="CASAD2DWebSvc") returned 14 [0295.424] _wcsicmp (_String1="continue", _String2="CASAD2DWebSvc") returned 14 [0295.424] _wcsicmp (_String1="cont", _String2="CASAD2DWebSvc") returned 14 [0295.424] _wcsicmp (_String1="file", _String2="CASAD2DWebSvc") returned 3 [0295.424] _wcsicmp (_String1="files", _String2="CASAD2DWebSvc") returned 3 [0295.424] _wcsicmp (_String1="group", _String2="CASAD2DWebSvc") returned 4 [0295.424] _wcsicmp (_String1="groups", _String2="CASAD2DWebSvc") returned 4 [0295.424] _wcsicmp (_String1="help", _String2="CASAD2DWebSvc") returned 5 [0295.424] _wcsicmp (_String1="helpmsg", _String2="CASAD2DWebSvc") returned 5 [0295.424] _wcsicmp (_String1="localgroup", _String2="CASAD2DWebSvc") returned 9 [0295.424] _wcsicmp (_String1="pause", _String2="CASAD2DWebSvc") returned 13 [0295.424] _wcsicmp (_String1="session", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="sessions", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="sess", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="share", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="start", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="stats", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="statistics", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="stop", _String2="CASAD2DWebSvc") returned 16 [0295.424] _wcsicmp (_String1="time", _String2="CASAD2DWebSvc") returned 17 [0295.424] _wcsicmp (_String1="user", _String2="CASAD2DWebSvc") returned 18 [0295.424] _wcsicmp (_String1="users", _String2="CASAD2DWebSvc") returned 18 [0295.424] _wcsicmp (_String1="msg", _String2="CASAD2DWebSvc") returned 10 [0295.424] _wcsicmp (_String1="messenger", _String2="CASAD2DWebSvc") returned 10 [0295.424] _wcsicmp (_String1="receiver", _String2="CASAD2DWebSvc") returned 15 [0295.424] _wcsicmp (_String1="rcv", _String2="CASAD2DWebSvc") returned 15 [0295.424] _wcsicmp (_String1="netpopup", _String2="CASAD2DWebSvc") returned 11 [0295.424] _wcsicmp (_String1="redirector", _String2="CASAD2DWebSvc") returned 15 [0295.424] _wcsicmp (_String1="redir", _String2="CASAD2DWebSvc") returned 15 [0295.424] _wcsicmp (_String1="rdr", _String2="CASAD2DWebSvc") returned 15 [0295.424] _wcsicmp (_String1="workstation", _String2="CASAD2DWebSvc") returned 20 [0295.424] _wcsicmp (_String1="work", _String2="CASAD2DWebSvc") returned 20 [0295.424] _wcsicmp (_String1="wksta", _String2="CASAD2DWebSvc") returned 20 [0295.424] _wcsicmp (_String1="prdr", _String2="CASAD2DWebSvc") returned 13 [0295.424] _wcsicmp (_String1="devrdr", _String2="CASAD2DWebSvc") returned 1 [0295.424] _wcsicmp (_String1="lanmanworkstation", _String2="CASAD2DWebSvc") returned 9 [0295.424] _wcsicmp (_String1="server", _String2="CASAD2DWebSvc") returned 16 [0295.425] _wcsicmp (_String1="svr", _String2="CASAD2DWebSvc") returned 16 [0295.425] _wcsicmp (_String1="srv", _String2="CASAD2DWebSvc") returned 16 [0295.425] _wcsicmp (_String1="lanmanserver", _String2="CASAD2DWebSvc") returned 9 [0295.425] _wcsicmp (_String1="alerter", _String2="CASAD2DWebSvc") returned -2 [0295.425] _wcsicmp (_String1="netlogon", _String2="CASAD2DWebSvc") returned 11 [0295.425] _wcsupr (in: _String="CASAD2DWebSvc" | out: _String="CASAD2DWEBSVC") returned="CASAD2DWEBSVC" [0295.425] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34a0b68 [0295.428] GetServiceKeyNameW (in: hSCManager=0x34a0b68, lpDisplayName="CASAD2DWEBSVC", lpServiceName=0x1c8c28, lpcchBuffer=0x327fabc | out: lpServiceName="", lpcchBuffer=0x327fabc) returned 0 [0295.429] _wcsicmp (_String1="msg", _String2="CASAD2DWEBSVC") returned 10 [0295.429] _wcsicmp (_String1="messenger", _String2="CASAD2DWEBSVC") returned 10 [0295.429] _wcsicmp (_String1="receiver", _String2="CASAD2DWEBSVC") returned 15 [0295.429] _wcsicmp (_String1="rcv", _String2="CASAD2DWEBSVC") returned 15 [0295.429] _wcsicmp (_String1="redirector", _String2="CASAD2DWEBSVC") returned 15 [0295.429] _wcsicmp (_String1="redir", _String2="CASAD2DWEBSVC") returned 15 [0295.429] _wcsicmp (_String1="rdr", _String2="CASAD2DWEBSVC") returned 15 [0295.429] _wcsicmp (_String1="workstation", _String2="CASAD2DWEBSVC") returned 20 [0295.429] _wcsicmp (_String1="work", _String2="CASAD2DWEBSVC") returned 20 [0295.429] _wcsicmp (_String1="wksta", _String2="CASAD2DWEBSVC") returned 20 [0295.429] _wcsicmp (_String1="prdr", _String2="CASAD2DWEBSVC") returned 13 [0295.429] _wcsicmp (_String1="devrdr", _String2="CASAD2DWEBSVC") returned 1 [0295.429] _wcsicmp (_String1="lanmanworkstation", _String2="CASAD2DWEBSVC") returned 9 [0295.429] _wcsicmp (_String1="server", _String2="CASAD2DWEBSVC") returned 16 [0295.429] _wcsicmp (_String1="svr", _String2="CASAD2DWEBSVC") returned 16 [0295.429] _wcsicmp (_String1="srv", _String2="CASAD2DWEBSVC") returned 16 [0295.429] _wcsicmp (_String1="lanmanserver", _String2="CASAD2DWEBSVC") returned 9 [0295.429] _wcsicmp (_String1="alerter", _String2="CASAD2DWEBSVC") returned -2 [0295.429] _wcsicmp (_String1="netlogon", _String2="CASAD2DWEBSVC") returned 11 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="WORKSTATION") returned -20 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="LanmanWorkstation") returned -9 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="SERVER") returned -16 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="LanmanServer") returned -9 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="BROWSER") returned 1 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="BROWSER") returned 1 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="MESSENGER") returned -10 [0295.429] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="MESSENGER") returned -10 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETRUN") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETRUN") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="SPOOLER") returned -16 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="SPOOLER") returned -16 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="ALERTER") returned 2 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="ALERTER") returned 2 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETLOGON") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETLOGON") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETPOPUP") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="NETPOPUP") returned -11 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="SQLSERVER") returned -16 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="SQLSERVER") returned -16 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="REPLICATOR") returned -15 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="REPLICATOR") returned -15 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="REMOTEBOOT") returned -15 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="REMOTEBOOT") returned -15 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="TIMESOURCE") returned -17 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="TIMESOURCE") returned -17 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="AFP") returned 2 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="AFP") returned 2 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="UPS") returned -18 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="UPS") returned -18 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="XACTSRV") returned -21 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="XACTSRV") returned -21 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="TCPIP") returned -17 [0295.430] _wcsicmp (_String1="CASAD2DWEBSVC", _String2="TCPIP") returned -17 [0295.430] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x34a0960 [0295.431] OpenServiceW (hSCManager=0x34a0960, lpServiceName="CASAD2DWEBSVC", dwDesiredAccess=0x84) returned 0x0 [0295.431] GetLastError () returned 0x424 [0295.431] CloseServiceHandle (hSCObject=0x34a0960) returned 1 [0295.431] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0295.431] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3370002 [0295.432] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3370002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0295.433] GetFileType (hFile=0x94) returned 0x2 [0295.433] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x327f94c | out: lpMode=0x327f94c) returned 1 [0295.433] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x327f958, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x327f958*=0x1e) returned 1 [0295.433] GetFileType (hFile=0x94) returned 0x2 [0295.434] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x327f94c | out: lpMode=0x327f94c) returned 1 [0295.434] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x327f958, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x327f958*=0x2) returned 1 [0295.434] _ultow (in: _Dest=0x889, _Radix=52951456 | out: _Dest=0x889) returned="2185" [0295.434] FormatMessageW (in: dwFlags=0x2800, lpSource=0x3370002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0295.434] GetFileType (hFile=0x94) returned 0x2 [0295.434] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x327f970 | out: lpMode=0x327f970) returned 1 [0295.435] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x327f97c, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x327f97c*=0x34) returned 1 [0295.435] GetFileType (hFile=0x94) returned 0x2 [0295.435] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x327f970 | out: lpMode=0x327f970) returned 1 [0295.435] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x327f97c, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x327f97c*=0x2) returned 1 [0295.436] NetApiBufferFree (Buffer=0x34984d8) returned 0x0 [0295.436] NetApiBufferFree (Buffer=0x3498508) returned 0x0 [0295.436] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop CASAD2DWebSvc /y" [0295.436] exit (_Code=2) Thread: id = 255 os_tid = 0x1378 Process: id = "106" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x19435000" os_pid = "0xd4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop CAARCUpdateSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 256 os_tid = 0x6dc Thread: id = 260 os_tid = 0xd18 Process: id = "107" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x66a28000" os_pid = "0x510" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0xd4c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 257 os_tid = 0xcfc Thread: id = 258 os_tid = 0x774 Thread: id = 259 os_tid = 0x680 Process: id = "108" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x8f26000" os_pid = "0x514" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0xd4c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop CAARCUpdateSvc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 261 os_tid = 0x12c0 [0295.960] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0295.960] __set_app_type (_Type=0x1) [0295.960] __p__fmode () returned 0x776f3c14 [0295.960] __p__commode () returned 0x776f49ec [0295.960] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0295.960] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0295.960] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0295.960] GetConsoleOutputCP () returned 0x1b5 [0295.961] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0295.961] SetThreadUILanguage (LangId=0x0) returned 0x2490409 [0295.964] sprintf_s (in: _DstBuf=0x26efaac, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0295.964] setlocale (category=0, locale=".437") returned="English_United States.437" [0295.965] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0295.965] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0295.965] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop CAARCUpdateSvc /y" [0295.965] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26ef854, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0295.965] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x0, Size=0x70) returned 0x28e7880 [0295.965] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0295.965] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26ef850 | out: Buffer=0x26ef850*=0x28e8568) returned 0x0 [0295.966] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26ef84c | out: Buffer=0x26ef84c*=0x28e85e0) returned 0x0 [0295.966] __iob_func () returned 0x776f2608 [0295.966] _fileno (_File=0x776f2608) returned 0 [0295.966] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0295.966] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0295.966] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0295.966] _wcsicmp (_String1="config", _String2="stop") returned -16 [0295.966] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0295.966] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0295.966] _wcsicmp (_String1="file", _String2="stop") returned -13 [0295.966] _wcsicmp (_String1="files", _String2="stop") returned -13 [0295.966] _wcsicmp (_String1="group", _String2="stop") returned -12 [0295.966] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0295.966] _wcsicmp (_String1="help", _String2="stop") returned -11 [0295.966] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0295.966] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0295.966] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0295.966] _wcsicmp (_String1="session", _String2="stop") returned -15 [0295.966] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0295.966] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0295.966] _wcsicmp (_String1="share", _String2="stop") returned -12 [0295.966] _wcsicmp (_String1="start", _String2="stop") returned -14 [0295.966] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0295.966] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0295.966] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0295.966] _wcsicmp (_String1="accounts", _String2="CAARCUpdateSvc") returned -2 [0295.966] _wcsicmp (_String1="computer", _String2="CAARCUpdateSvc") returned 14 [0295.966] _wcsicmp (_String1="config", _String2="CAARCUpdateSvc") returned 14 [0295.966] _wcsicmp (_String1="continue", _String2="CAARCUpdateSvc") returned 14 [0295.966] _wcsicmp (_String1="cont", _String2="CAARCUpdateSvc") returned 14 [0295.966] _wcsicmp (_String1="file", _String2="CAARCUpdateSvc") returned 3 [0295.966] _wcsicmp (_String1="files", _String2="CAARCUpdateSvc") returned 3 [0295.967] _wcsicmp (_String1="group", _String2="CAARCUpdateSvc") returned 4 [0295.967] _wcsicmp (_String1="groups", _String2="CAARCUpdateSvc") returned 4 [0295.967] _wcsicmp (_String1="help", _String2="CAARCUpdateSvc") returned 5 [0295.967] _wcsicmp (_String1="helpmsg", _String2="CAARCUpdateSvc") returned 5 [0295.967] _wcsicmp (_String1="localgroup", _String2="CAARCUpdateSvc") returned 9 [0295.967] _wcsicmp (_String1="pause", _String2="CAARCUpdateSvc") returned 13 [0295.967] _wcsicmp (_String1="session", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="sessions", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="sess", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="share", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="start", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="stats", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="statistics", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="stop", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="time", _String2="CAARCUpdateSvc") returned 17 [0295.967] _wcsicmp (_String1="user", _String2="CAARCUpdateSvc") returned 18 [0295.967] _wcsicmp (_String1="users", _String2="CAARCUpdateSvc") returned 18 [0295.967] _wcsicmp (_String1="msg", _String2="CAARCUpdateSvc") returned 10 [0295.967] _wcsicmp (_String1="messenger", _String2="CAARCUpdateSvc") returned 10 [0295.967] _wcsicmp (_String1="receiver", _String2="CAARCUpdateSvc") returned 15 [0295.967] _wcsicmp (_String1="rcv", _String2="CAARCUpdateSvc") returned 15 [0295.967] _wcsicmp (_String1="netpopup", _String2="CAARCUpdateSvc") returned 11 [0295.967] _wcsicmp (_String1="redirector", _String2="CAARCUpdateSvc") returned 15 [0295.967] _wcsicmp (_String1="redir", _String2="CAARCUpdateSvc") returned 15 [0295.967] _wcsicmp (_String1="rdr", _String2="CAARCUpdateSvc") returned 15 [0295.967] _wcsicmp (_String1="workstation", _String2="CAARCUpdateSvc") returned 20 [0295.967] _wcsicmp (_String1="work", _String2="CAARCUpdateSvc") returned 20 [0295.967] _wcsicmp (_String1="wksta", _String2="CAARCUpdateSvc") returned 20 [0295.967] _wcsicmp (_String1="prdr", _String2="CAARCUpdateSvc") returned 13 [0295.967] _wcsicmp (_String1="devrdr", _String2="CAARCUpdateSvc") returned 1 [0295.967] _wcsicmp (_String1="lanmanworkstation", _String2="CAARCUpdateSvc") returned 9 [0295.967] _wcsicmp (_String1="server", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="svr", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="srv", _String2="CAARCUpdateSvc") returned 16 [0295.967] _wcsicmp (_String1="lanmanserver", _String2="CAARCUpdateSvc") returned 9 [0295.967] _wcsicmp (_String1="alerter", _String2="CAARCUpdateSvc") returned -2 [0295.967] _wcsicmp (_String1="netlogon", _String2="CAARCUpdateSvc") returned 11 [0295.968] _wcsupr (in: _String="CAARCUpdateSvc" | out: _String="CAARCUPDATESVC") returned="CAARCUPDATESVC" [0295.968] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28f08b8 [0295.971] GetServiceKeyNameW (in: hSCManager=0x28f08b8, lpDisplayName="CAARCUPDATESVC", lpServiceName=0x1c8c28, lpcchBuffer=0x26ef7c4 | out: lpServiceName="", lpcchBuffer=0x26ef7c4) returned 0 [0295.971] _wcsicmp (_String1="msg", _String2="CAARCUPDATESVC") returned 10 [0295.971] _wcsicmp (_String1="messenger", _String2="CAARCUPDATESVC") returned 10 [0295.971] _wcsicmp (_String1="receiver", _String2="CAARCUPDATESVC") returned 15 [0295.971] _wcsicmp (_String1="rcv", _String2="CAARCUPDATESVC") returned 15 [0295.971] _wcsicmp (_String1="redirector", _String2="CAARCUPDATESVC") returned 15 [0295.971] _wcsicmp (_String1="redir", _String2="CAARCUPDATESVC") returned 15 [0295.972] _wcsicmp (_String1="rdr", _String2="CAARCUPDATESVC") returned 15 [0295.972] _wcsicmp (_String1="workstation", _String2="CAARCUPDATESVC") returned 20 [0295.972] _wcsicmp (_String1="work", _String2="CAARCUPDATESVC") returned 20 [0295.972] _wcsicmp (_String1="wksta", _String2="CAARCUPDATESVC") returned 20 [0295.972] _wcsicmp (_String1="prdr", _String2="CAARCUPDATESVC") returned 13 [0295.972] _wcsicmp (_String1="devrdr", _String2="CAARCUPDATESVC") returned 1 [0295.972] _wcsicmp (_String1="lanmanworkstation", _String2="CAARCUPDATESVC") returned 9 [0295.972] _wcsicmp (_String1="server", _String2="CAARCUPDATESVC") returned 16 [0295.972] _wcsicmp (_String1="svr", _String2="CAARCUPDATESVC") returned 16 [0295.972] _wcsicmp (_String1="srv", _String2="CAARCUPDATESVC") returned 16 [0295.972] _wcsicmp (_String1="lanmanserver", _String2="CAARCUPDATESVC") returned 9 [0295.972] _wcsicmp (_String1="alerter", _String2="CAARCUPDATESVC") returned -2 [0295.972] _wcsicmp (_String1="netlogon", _String2="CAARCUPDATESVC") returned 11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="WORKSTATION") returned -20 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="LanmanWorkstation") returned -9 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="SERVER") returned -16 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="LanmanServer") returned -9 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="BROWSER") returned 1 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="BROWSER") returned 1 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="MESSENGER") returned -10 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="MESSENGER") returned -10 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETRUN") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETRUN") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="SPOOLER") returned -16 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="SPOOLER") returned -16 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="ALERTER") returned 2 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="ALERTER") returned 2 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETLOGON") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETLOGON") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETPOPUP") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="NETPOPUP") returned -11 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="SQLSERVER") returned -16 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="SQLSERVER") returned -16 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="REPLICATOR") returned -15 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="REPLICATOR") returned -15 [0295.972] _wcsicmp (_String1="CAARCUPDATESVC", _String2="REMOTEBOOT") returned -15 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="REMOTEBOOT") returned -15 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="TIMESOURCE") returned -17 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="TIMESOURCE") returned -17 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="AFP") returned 2 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="AFP") returned 2 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="UPS") returned -18 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="UPS") returned -18 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="XACTSRV") returned -21 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="XACTSRV") returned -21 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="TCPIP") returned -17 [0295.973] _wcsicmp (_String1="CAARCUPDATESVC", _String2="TCPIP") returned -17 [0295.973] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x28f0840 [0295.973] OpenServiceW (hSCManager=0x28f0840, lpServiceName="CAARCUPDATESVC", dwDesiredAccess=0x84) returned 0x0 [0295.973] GetLastError () returned 0x424 [0295.974] CloseServiceHandle (hSCObject=0x28f0840) returned 1 [0295.974] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0295.974] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x2830002 [0295.974] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x2830002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0295.975] GetFileType (hFile=0x94) returned 0x2 [0295.975] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef654 | out: lpMode=0x26ef654) returned 1 [0295.975] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26ef660, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26ef660*=0x1e) returned 1 [0295.976] GetFileType (hFile=0x94) returned 0x2 [0295.976] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef654 | out: lpMode=0x26ef654) returned 1 [0295.977] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26ef660, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26ef660*=0x2) returned 1 [0295.977] _ultow (in: _Dest=0x889, _Radix=40826536 | out: _Dest=0x889) returned="2185" [0295.977] FormatMessageW (in: dwFlags=0x2800, lpSource=0x2830002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0295.977] GetFileType (hFile=0x94) returned 0x2 [0295.977] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef678 | out: lpMode=0x26ef678) returned 1 [0295.977] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26ef684, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x26ef684*=0x34) returned 1 [0295.978] GetFileType (hFile=0x94) returned 0x2 [0295.978] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x26ef678 | out: lpMode=0x26ef678) returned 1 [0295.978] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26ef684, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x26ef684*=0x2) returned 1 [0295.978] NetApiBufferFree (Buffer=0x28e8568) returned 0x0 [0295.979] NetApiBufferFree (Buffer=0x28e85e0) returned 0x0 [0295.979] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop CAARCUpdateSvc /y" [0295.979] exit (_Code=2) Thread: id = 262 os_tid = 0x137c Process: id = "109" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x641ba000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"net.exe\" stop sophos /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 263 os_tid = 0x10b0 Thread: id = 267 os_tid = 0x12b8 Process: id = "110" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xbb63000" os_pid = "0x108c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "109" os_parent_pid = "0xa70" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 264 os_tid = 0x13fc Thread: id = 265 os_tid = 0x133c Thread: id = 266 os_tid = 0x10b4 Process: id = "111" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1a5e1000" os_pid = "0x12e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "109" os_parent_pid = "0xa70" cmd_line = "C:\\WINDOWS\\system32\\net1 stop sophos /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 268 os_tid = 0x1308 [0296.363] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0296.363] __set_app_type (_Type=0x1) [0296.363] __p__fmode () returned 0x776f3c14 [0296.363] __p__commode () returned 0x776f49ec [0296.363] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a6f20) returned 0x0 [0296.363] __getmainargs (in: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610, _DoWildCard=0, _StartInfo=0x1bf61c | out: _Argc=0x1bf608, _Argv=0x1bf60c, _Env=0x1bf610) returned 0 [0296.363] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0296.364] GetConsoleOutputCP () returned 0x1b5 [0296.364] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1c6fa0 | out: lpCPInfo=0x1c6fa0) returned 1 [0296.364] SetThreadUILanguage (LangId=0x0) returned 0x31c0409 [0296.367] sprintf_s (in: _DstBuf=0x2f8f770, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0296.367] setlocale (category=0, locale=".437") returned="English_United States.437" [0296.369] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0296.369] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0296.369] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop sophos /y" [0296.369] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f8f518, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0296.369] RtlAllocateHeap (HeapHandle=0x3420000, Flags=0x0, Size=0x60) returned 0x3427a90 [0296.369] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0296.369] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f8f514 | out: Buffer=0x2f8f514*=0x3427d58) returned 0x0 [0296.369] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2f8f510 | out: Buffer=0x2f8f510*=0x3427d70) returned 0x0 [0296.369] __iob_func () returned 0x776f2608 [0296.369] _fileno (_File=0x776f2608) returned 0 [0296.369] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0296.369] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0296.369] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0296.369] _wcsicmp (_String1="config", _String2="stop") returned -16 [0296.369] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0296.369] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0296.369] _wcsicmp (_String1="file", _String2="stop") returned -13 [0296.369] _wcsicmp (_String1="files", _String2="stop") returned -13 [0296.369] _wcsicmp (_String1="group", _String2="stop") returned -12 [0296.369] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0296.369] _wcsicmp (_String1="help", _String2="stop") returned -11 [0296.369] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0296.369] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0296.369] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0296.369] _wcsicmp (_String1="session", _String2="stop") returned -15 [0296.369] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0296.369] _wcsicmp (_String1=0x1a1ffc, _String2="stop") returned -15 [0296.369] _wcsicmp (_String1="share", _String2="stop") returned -12 [0296.370] _wcsicmp (_String1="start", _String2="stop") returned -14 [0296.370] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0296.370] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0296.370] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0296.370] _wcsicmp (_String1="accounts", _String2="sophos") returned -18 [0296.370] _wcsicmp (_String1="computer", _String2="sophos") returned -16 [0296.370] _wcsicmp (_String1="config", _String2="sophos") returned -16 [0296.370] _wcsicmp (_String1="continue", _String2="sophos") returned -16 [0296.370] _wcsicmp (_String1="cont", _String2="sophos") returned -16 [0296.370] _wcsicmp (_String1="file", _String2="sophos") returned -13 [0296.370] _wcsicmp (_String1="files", _String2="sophos") returned -13 [0296.370] _wcsicmp (_String1="group", _String2="sophos") returned -12 [0296.370] _wcsicmp (_String1="groups", _String2="sophos") returned -12 [0296.370] _wcsicmp (_String1="help", _String2="sophos") returned -11 [0296.370] _wcsicmp (_String1="helpmsg", _String2="sophos") returned -11 [0296.370] _wcsicmp (_String1="localgroup", _String2="sophos") returned -7 [0296.370] _wcsicmp (_String1="pause", _String2="sophos") returned -3 [0296.370] _wcsicmp (_String1="session", _String2="sophos") returned -10 [0296.370] _wcsicmp (_String1="sessions", _String2="sophos") returned -10 [0296.370] _wcsicmp (_String1="sess", _String2="sophos") returned -10 [0296.370] _wcsicmp (_String1="share", _String2="sophos") returned -7 [0296.370] _wcsicmp (_String1="start", _String2="sophos") returned 5 [0296.370] _wcsicmp (_String1="stats", _String2="sophos") returned 5 [0296.370] _wcsicmp (_String1="statistics", _String2="sophos") returned 5 [0296.370] _wcsicmp (_String1="stop", _String2="sophos") returned 5 [0296.370] _wcsicmp (_String1="time", _String2="sophos") returned 1 [0296.370] _wcsicmp (_String1="user", _String2="sophos") returned 2 [0296.370] _wcsicmp (_String1="users", _String2="sophos") returned 2 [0296.370] _wcsicmp (_String1="msg", _String2="sophos") returned -6 [0296.370] _wcsicmp (_String1="messenger", _String2="sophos") returned -6 [0296.370] _wcsicmp (_String1="receiver", _String2="sophos") returned -1 [0296.370] _wcsicmp (_String1="rcv", _String2="sophos") returned -1 [0296.370] _wcsicmp (_String1="netpopup", _String2="sophos") returned -5 [0296.370] _wcsicmp (_String1="redirector", _String2="sophos") returned -1 [0296.370] _wcsicmp (_String1="redir", _String2="sophos") returned -1 [0296.370] _wcsicmp (_String1="rdr", _String2="sophos") returned -1 [0296.370] _wcsicmp (_String1="workstation", _String2="sophos") returned 4 [0296.370] _wcsicmp (_String1="work", _String2="sophos") returned 4 [0296.370] _wcsicmp (_String1="wksta", _String2="sophos") returned 4 [0296.370] _wcsicmp (_String1="prdr", _String2="sophos") returned -3 [0296.370] _wcsicmp (_String1="devrdr", _String2="sophos") returned -15 [0296.371] _wcsicmp (_String1="lanmanworkstation", _String2="sophos") returned -7 [0296.371] _wcsicmp (_String1="server", _String2="sophos") returned -10 [0296.371] _wcsicmp (_String1="svr", _String2="sophos") returned 7 [0296.371] _wcsicmp (_String1="srv", _String2="sophos") returned 3 [0296.371] _wcsicmp (_String1="lanmanserver", _String2="sophos") returned -7 [0296.371] _wcsicmp (_String1="alerter", _String2="sophos") returned -18 [0296.371] _wcsicmp (_String1="netlogon", _String2="sophos") returned -5 [0296.371] _wcsupr (in: _String="sophos" | out: _String="SOPHOS") returned="SOPHOS" [0296.371] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3430828 [0296.374] GetServiceKeyNameW (in: hSCManager=0x3430828, lpDisplayName="SOPHOS", lpServiceName=0x1c8c28, lpcchBuffer=0x2f8f484 | out: lpServiceName="", lpcchBuffer=0x2f8f484) returned 0 [0296.374] _wcsicmp (_String1="msg", _String2="SOPHOS") returned -6 [0296.374] _wcsicmp (_String1="messenger", _String2="SOPHOS") returned -6 [0296.374] _wcsicmp (_String1="receiver", _String2="SOPHOS") returned -1 [0296.374] _wcsicmp (_String1="rcv", _String2="SOPHOS") returned -1 [0296.374] _wcsicmp (_String1="redirector", _String2="SOPHOS") returned -1 [0296.374] _wcsicmp (_String1="redir", _String2="SOPHOS") returned -1 [0296.375] _wcsicmp (_String1="rdr", _String2="SOPHOS") returned -1 [0296.375] _wcsicmp (_String1="workstation", _String2="SOPHOS") returned 4 [0296.375] _wcsicmp (_String1="work", _String2="SOPHOS") returned 4 [0296.375] _wcsicmp (_String1="wksta", _String2="SOPHOS") returned 4 [0296.375] _wcsicmp (_String1="prdr", _String2="SOPHOS") returned -3 [0296.375] _wcsicmp (_String1="devrdr", _String2="SOPHOS") returned -15 [0296.375] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS") returned -7 [0296.375] _wcsicmp (_String1="server", _String2="SOPHOS") returned -10 [0296.375] _wcsicmp (_String1="svr", _String2="SOPHOS") returned 7 [0296.375] _wcsicmp (_String1="srv", _String2="SOPHOS") returned 3 [0296.375] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS") returned -7 [0296.375] _wcsicmp (_String1="alerter", _String2="SOPHOS") returned -18 [0296.375] _wcsicmp (_String1="netlogon", _String2="SOPHOS") returned -5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="WORKSTATION") returned -4 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="LanmanWorkstation") returned 7 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="SERVER") returned 10 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="LanmanServer") returned 7 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="BROWSER") returned 17 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="BROWSER") returned 17 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="MESSENGER") returned 6 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="MESSENGER") returned 6 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETRUN") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETRUN") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="SPOOLER") returned -1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="SPOOLER") returned -1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="ALERTER") returned 18 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="ALERTER") returned 18 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETLOGON") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETLOGON") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETPOPUP") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="NETPOPUP") returned 5 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="SQLSERVER") returned -2 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="SQLSERVER") returned -2 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="REPLICATOR") returned 1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="REPLICATOR") returned 1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="REMOTEBOOT") returned 1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="REMOTEBOOT") returned 1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="TIMESOURCE") returned -1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="TIMESOURCE") returned -1 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="AFP") returned 18 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="AFP") returned 18 [0296.375] _wcsicmp (_String1="SOPHOS", _String2="UPS") returned -2 [0296.376] _wcsicmp (_String1="SOPHOS", _String2="UPS") returned -2 [0296.376] _wcsicmp (_String1="SOPHOS", _String2="XACTSRV") returned -5 [0296.376] _wcsicmp (_String1="SOPHOS", _String2="XACTSRV") returned -5 [0296.376] _wcsicmp (_String1="SOPHOS", _String2="TCPIP") returned -1 [0296.376] _wcsicmp (_String1="SOPHOS", _String2="TCPIP") returned -1 [0296.376] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3430878 [0296.376] OpenServiceW (hSCManager=0x3430878, lpServiceName="SOPHOS", dwDesiredAccess=0x84) returned 0x0 [0296.376] GetLastError () returned 0x424 [0296.376] CloseServiceHandle (hSCObject=0x3430878) returned 1 [0296.377] wcscpy_s (in: _Destination=0x1c7610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0296.377] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3280002 [0296.377] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3280002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0296.378] GetFileType (hFile=0x94) returned 0x2 [0296.378] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f8f314 | out: lpMode=0x2f8f314) returned 1 [0296.378] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2f8f320, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f8f320*=0x1e) returned 1 [0296.378] GetFileType (hFile=0x94) returned 0x2 [0296.378] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f8f314 | out: lpMode=0x2f8f314) returned 1 [0296.379] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f8f320, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f8f320*=0x2) returned 1 [0296.379] _ultow (in: _Dest=0x889, _Radix=49869672 | out: _Dest=0x889) returned="2185" [0296.379] FormatMessageW (in: dwFlags=0x2800, lpSource=0x3280002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1c7c20, nSize=0x800, Arguments=0x1c73d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0296.379] GetFileType (hFile=0x94) returned 0x2 [0296.379] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f8f338 | out: lpMode=0x2f8f338) returned 1 [0296.380] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1c7c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2f8f344, lpReserved=0x0 | out: lpBuffer=0x1c7c20*, lpNumberOfCharsWritten=0x2f8f344*=0x34) returned 1 [0296.380] GetFileType (hFile=0x94) returned 0x2 [0296.380] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2f8f338 | out: lpMode=0x2f8f338) returned 1 [0296.380] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a12e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2f8f344, lpReserved=0x0 | out: lpBuffer=0x1a12e4*, lpNumberOfCharsWritten=0x2f8f344*=0x2) returned 1 [0296.381] NetApiBufferFree (Buffer=0x3427d58) returned 0x0 [0296.381] NetApiBufferFree (Buffer=0x3427d70) returned 0x0 [0296.381] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop sophos /y" [0296.381] exit (_Code=2) Thread: id = 269 os_tid = 0x1088 Process: id = "112" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x19e50000" os_pid = "0x109c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"sc.exe\" config SQLTELEMETRY start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 270 os_tid = 0x10fc [0296.847] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0296.847] __set_app_type (_Type=0x1) [0296.847] __p__fmode () returned 0x776f3c14 [0296.848] __p__commode () returned 0x776f49ec [0296.848] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdf5f00) returned 0x0 [0296.848] __wgetmainargs (in: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030, _DoWildCard=0, _StartInfo=0xdfe03c | out: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030) returned 0 [0296.848] SetThreadUILanguage (LangId=0x0) returned 0xa10409 [0296.851] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0296.851] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0296.851] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0296.851] _wcsicmp (_String1="config", _String2="query") returned -14 [0296.851] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0296.851] _wcsicmp (_String1="config", _String2="start") returned -16 [0296.852] _wcsicmp (_String1="config", _String2="pause") returned -13 [0296.852] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0296.852] _wcsicmp (_String1="config", _String2="control") returned -14 [0296.852] _wcsicmp (_String1="config", _String2="continue") returned -14 [0296.852] _wcsicmp (_String1="config", _String2="stop") returned -16 [0296.852] _wcsicmp (_String1="config", _String2="config") returned 0 [0296.852] ResolveDelayLoadedAPI () returned 0x7770c440 [0296.852] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2fd04e8 [0296.856] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0296.856] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0296.856] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0296.856] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0296.856] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0296.856] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0296.856] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0296.856] OpenServiceW (hSCManager=0x2fd04e8, lpServiceName="SQLTELEMETRY", dwDesiredAccess=0x3) returned 0x0 [0296.857] GetLastError () returned 0x424 [0296.857] _ultow (in: _Dest=0x424, _Radix=12844248 | out: _Dest=0x424) returned="1060" [0296.857] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xdfe3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0296.902] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xc3fcb4, nSize=0x2, Arguments=0xc3fccc | out: lpBuffer="搠˽ﳴÃ蕗ß\x04") returned 0x62 [0296.904] GetFileType (hFile=0x2d0) returned 0x3 [0296.904] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x2fd60b0 [0296.904] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x2fd60b0, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0296.904] WriteFile (in: hFile=0x2d0, lpBuffer=0x2fd60b0*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0xc3fca8, lpOverlapped=0x0 | out: lpBuffer=0x2fd60b0*, lpNumberOfBytesWritten=0xc3fca8*=0x62, lpOverlapped=0x0) returned 1 [0296.948] LocalFree (hMem=0x2fd60b0) returned 0x0 [0296.948] LocalFree (hMem=0x2fd6420) returned 0x0 [0296.948] LocalFree (hMem=0x0) returned 0x0 [0296.948] CloseServiceHandle (hSCObject=0x2fd04e8) returned 1 [0296.993] LocalFree (hMem=0x0) returned 0x0 [0296.993] exit (_Code=1060) Thread: id = 274 os_tid = 0x13f0 Process: id = "113" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x18f08000" os_pid = "0x1098" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "112" os_parent_pid = "0x109c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 271 os_tid = 0x1080 Thread: id = 272 os_tid = 0x13ec Thread: id = 273 os_tid = 0x1084 Process: id = "114" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0xbbdd000" os_pid = "0x13cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 275 os_tid = 0x13e4 [0297.257] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0297.257] __set_app_type (_Type=0x1) [0297.257] __p__fmode () returned 0x776f3c14 [0297.257] __p__commode () returned 0x776f49ec [0297.257] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdf5f00) returned 0x0 [0297.257] __wgetmainargs (in: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030, _DoWildCard=0, _StartInfo=0xdfe03c | out: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030) returned 0 [0297.257] SetThreadUILanguage (LangId=0x0) returned 0x30b0409 [0297.260] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.260] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0297.260] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0297.260] _wcsicmp (_String1="config", _String2="query") returned -14 [0297.260] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0297.261] _wcsicmp (_String1="config", _String2="start") returned -16 [0297.261] _wcsicmp (_String1="config", _String2="pause") returned -13 [0297.261] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0297.261] _wcsicmp (_String1="config", _String2="control") returned -14 [0297.261] _wcsicmp (_String1="config", _String2="continue") returned -14 [0297.261] _wcsicmp (_String1="config", _String2="stop") returned -16 [0297.261] _wcsicmp (_String1="config", _String2="config") returned 0 [0297.261] ResolveDelayLoadedAPI () returned 0x7770c440 [0297.261] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2e604e8 [0297.265] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0297.265] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0297.265] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0297.265] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0297.265] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0297.265] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0297.265] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0297.265] OpenServiceW (hSCManager=0x2e604e8, lpServiceName="SQLTELEMETRY$ECWDB2", dwDesiredAccess=0x3) returned 0x0 [0297.265] GetLastError () returned 0x424 [0297.265] _ultow (in: _Dest=0x424, _Radix=13499152 | out: _Dest=0x424) returned="1060" [0297.265] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xdfe3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0297.266] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xcdfaec, nSize=0x2, Arguments=0xcdfb04 | out: lpBuffer="搸˦שּׁÍ蕗ß\x04") returned 0x62 [0297.267] GetFileType (hFile=0x2d0) returned 0x3 [0297.267] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x2e660c8 [0297.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x2e660c8, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0297.267] WriteFile (in: hFile=0x2d0, lpBuffer=0x2e660c8*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0xcdfae0, lpOverlapped=0x0 | out: lpBuffer=0x2e660c8*, lpNumberOfBytesWritten=0xcdfae0*=0x62, lpOverlapped=0x0) returned 1 [0297.267] LocalFree (hMem=0x2e660c8) returned 0x0 [0297.267] LocalFree (hMem=0x2e66438) returned 0x0 [0297.267] LocalFree (hMem=0x0) returned 0x0 [0297.267] CloseServiceHandle (hSCObject=0x2e604e8) returned 1 [0297.267] LocalFree (hMem=0x0) returned 0x0 [0297.267] exit (_Code=1060) Thread: id = 279 os_tid = 0x10f0 Process: id = "115" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5b1bc000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "114" os_parent_pid = "0x13cc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 276 os_tid = 0x13e8 Thread: id = 277 os_tid = 0x10ac Thread: id = 278 os_tid = 0x112c Process: id = "116" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x138e2000" os_pid = "0x10a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"sc.exe\" config SQLWriter start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 280 os_tid = 0x10e0 [0297.509] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0297.509] __set_app_type (_Type=0x1) [0297.509] __p__fmode () returned 0x776f3c14 [0297.509] __p__commode () returned 0x776f49ec [0297.510] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdf5f00) returned 0x0 [0297.510] __wgetmainargs (in: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030, _DoWildCard=0, _StartInfo=0xdfe03c | out: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030) returned 0 [0297.510] SetThreadUILanguage (LangId=0x0) returned 0x3070409 [0297.513] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.513] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0297.513] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0297.513] _wcsicmp (_String1="config", _String2="query") returned -14 [0297.513] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0297.513] _wcsicmp (_String1="config", _String2="start") returned -16 [0297.513] _wcsicmp (_String1="config", _String2="pause") returned -13 [0297.513] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0297.513] _wcsicmp (_String1="config", _String2="control") returned -14 [0297.513] _wcsicmp (_String1="config", _String2="continue") returned -14 [0297.513] _wcsicmp (_String1="config", _String2="stop") returned -16 [0297.513] _wcsicmp (_String1="config", _String2="config") returned 0 [0297.513] ResolveDelayLoadedAPI () returned 0x7770c440 [0297.514] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x33a04e8 [0297.518] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0297.518] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0297.518] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0297.518] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0297.518] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0297.518] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0297.518] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0297.518] OpenServiceW (hSCManager=0x33a04e8, lpServiceName="SQLWriter", dwDesiredAccess=0x3) returned 0x0 [0297.518] GetLastError () returned 0x424 [0297.518] _ultow (in: _Dest=0x424, _Radix=53082020 | out: _Dest=0x424) returned="1060" [0297.518] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xdfe3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0297.519] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x329f780, nSize=0x2, Arguments=0x329f798 | out: lpBuffer="搠̺̩蕗ß\x04") returned 0x62 [0297.520] GetFileType (hFile=0x2d0) returned 0x3 [0297.520] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x33a60b0 [0297.520] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x33a60b0, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0297.520] WriteFile (in: hFile=0x2d0, lpBuffer=0x33a60b0*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x329f774, lpOverlapped=0x0 | out: lpBuffer=0x33a60b0*, lpNumberOfBytesWritten=0x329f774*=0x62, lpOverlapped=0x0) returned 1 [0297.520] LocalFree (hMem=0x33a60b0) returned 0x0 [0297.520] LocalFree (hMem=0x33a6420) returned 0x0 [0297.520] LocalFree (hMem=0x0) returned 0x0 [0297.520] CloseServiceHandle (hSCObject=0x33a04e8) returned 1 [0297.520] LocalFree (hMem=0x0) returned 0x0 [0297.520] exit (_Code=1060) Thread: id = 284 os_tid = 0xdf4 Process: id = "117" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5d29000" os_pid = "0x10ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "116" os_parent_pid = "0x10a4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 281 os_tid = 0x10e4 Thread: id = 282 os_tid = 0xdcc Thread: id = 283 os_tid = 0xdfc Process: id = "118" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x4f7e7000" os_pid = "0x125c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"sc.exe\" config SstpSvc start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 285 os_tid = 0x6ec [0297.876] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0297.876] __set_app_type (_Type=0x1) [0297.876] __p__fmode () returned 0x776f3c14 [0297.876] __p__commode () returned 0x776f49ec [0297.876] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdf5f00) returned 0x0 [0297.876] __wgetmainargs (in: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030, _DoWildCard=0, _StartInfo=0xdfe03c | out: _Argc=0xdfe028, _Argv=0xdfe02c, _Env=0xdfe030) returned 0 [0297.876] SetThreadUILanguage (LangId=0x0) returned 0xaa0409 [0297.880] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.880] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2d0 [0297.880] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0297.880] _wcsicmp (_String1="config", _String2="query") returned -14 [0297.880] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0297.880] _wcsicmp (_String1="config", _String2="start") returned -16 [0297.880] _wcsicmp (_String1="config", _String2="pause") returned -13 [0297.880] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0297.880] _wcsicmp (_String1="config", _String2="control") returned -14 [0297.880] _wcsicmp (_String1="config", _String2="continue") returned -14 [0297.880] _wcsicmp (_String1="config", _String2="stop") returned -16 [0297.880] _wcsicmp (_String1="config", _String2="config") returned 0 [0297.880] ResolveDelayLoadedAPI () returned 0x7770c440 [0297.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x1104e8 [0297.885] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0297.885] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0297.885] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0297.885] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0297.885] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0297.885] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0297.885] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0297.885] OpenServiceW (hSCManager=0x1104e8, lpServiceName="SstpSvc", dwDesiredAccess=0x3) returned 0x116358 [0297.886] ResolveDelayLoadedAPI () returned 0x7770bee0 [0297.886] QueryServiceConfig2W (in: hService=0x116358, dwInfoLevel=0x3, lpBuffer=0xc7f774, cbBufSize=0x4, pcbBytesNeeded=0xc7f76c | out: lpBuffer=0xc7f774, pcbBytesNeeded=0xc7f76c) returned 1 [0297.887] ChangeServiceConfigW (in: hService=0x116358, dwServiceType=0xffffffff, dwStartType=0x4, dwErrorControl=0xffffffff, lpBinaryPathName=0x0, lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0, lpDisplayName=0x0 | out: lpdwTagId=0x0) returned 1 [0297.888] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0xc7f728, nSize=0x2, Arguments=0xc7f76c | out: lpBuffer="您\x11Ç빊ß\x04") returned 0x22 [0297.889] GetFileType (hFile=0x2d0) returned 0x3 [0297.889] LocalAlloc (uFlags=0x0, uBytes=0x44) returned 0x110538 [0297.889] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] ChangeServiceConfig SUCCESS\r\n", cchWideChar=34, lpMultiByteStr=0x110538, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] ChangeServiceConfig SUCCESS\r\ns", lpUsedDefaultChar=0x0) returned 34 [0297.889] WriteFile (in: hFile=0x2d0, lpBuffer=0x110538*, nNumberOfBytesToWrite=0x22, lpNumberOfBytesWritten=0xc7f71c, lpOverlapped=0x0 | out: lpBuffer=0x110538*, lpNumberOfBytesWritten=0xc7f71c*=0x22, lpOverlapped=0x0) returned 1 [0297.889] LocalFree (hMem=0x110538) returned 0x0 [0297.889] LocalFree (hMem=0x1160a8) returned 0x0 [0297.889] LocalFree (hMem=0x0) returned 0x0 [0297.889] CloseServiceHandle (hSCObject=0x116358) returned 1 [0297.890] CloseServiceHandle (hSCObject=0x1104e8) returned 1 [0297.890] LocalFree (hMem=0x0) returned 0x0 [0297.890] exit (_Code=0) Thread: id = 289 os_tid = 0x13f4 Process: id = "119" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59242000" os_pid = "0x6d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "118" os_parent_pid = "0x125c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 286 os_tid = 0xdb8 Thread: id = 287 os_tid = 0xe54 Thread: id = 288 os_tid = 0xf0 Process: id = "120" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x37281000" os_pid = "0x648" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"taskkill.exe\" /IM mspub.exe /F" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 290 os_tid = 0x1ec Thread: id = 294 os_tid = 0xea4 Thread: id = 295 os_tid = 0xf18 Thread: id = 296 os_tid = 0xef4 Thread: id = 297 os_tid = 0xdb0 Thread: id = 298 os_tid = 0x10dc Process: id = "121" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x14770000" os_pid = "0x5b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "120" os_parent_pid = "0x648" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 291 os_tid = 0xa80 Thread: id = 292 os_tid = 0x440 Thread: id = 293 os_tid = 0x2bc Process: id = "122" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x742fe000" os_pid = "0x3ac" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "120" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 299 os_tid = 0x1344 Thread: id = 300 os_tid = 0x120c Thread: id = 301 os_tid = 0x300 Thread: id = 302 os_tid = 0x12d8 Thread: id = 303 os_tid = 0x12d4 Thread: id = 304 os_tid = 0x12d0 Thread: id = 305 os_tid = 0x12cc Thread: id = 306 os_tid = 0x12c8 Thread: id = 307 os_tid = 0x12c4 Thread: id = 308 os_tid = 0x1278 Thread: id = 309 os_tid = 0x1284 Thread: id = 310 os_tid = 0x1280 Thread: id = 311 os_tid = 0x127c Thread: id = 312 os_tid = 0x1270 Thread: id = 313 os_tid = 0x1078 Thread: id = 314 os_tid = 0x1074 Thread: id = 315 os_tid = 0x1068 Thread: id = 316 os_tid = 0x1064 Thread: id = 317 os_tid = 0x1060 Thread: id = 318 os_tid = 0x105c Thread: id = 319 os_tid = 0x1010 Thread: id = 320 os_tid = 0xfbc Thread: id = 321 os_tid = 0xf0c Thread: id = 322 os_tid = 0xf04 Thread: id = 323 os_tid = 0xaa0 Thread: id = 324 os_tid = 0xa30 Thread: id = 325 os_tid = 0xa14 Thread: id = 326 os_tid = 0xa0c Thread: id = 327 os_tid = 0x9e8 Thread: id = 328 os_tid = 0x9e0 Thread: id = 329 os_tid = 0x9d8 Thread: id = 330 os_tid = 0x9cc Thread: id = 331 os_tid = 0x9c4 Thread: id = 332 os_tid = 0x9b8 Thread: id = 333 os_tid = 0x9b0 Thread: id = 334 os_tid = 0x9a0 Thread: id = 335 os_tid = 0x998 Thread: id = 336 os_tid = 0x984 Thread: id = 337 os_tid = 0x978 Thread: id = 338 os_tid = 0x968 Thread: id = 339 os_tid = 0x95c Thread: id = 340 os_tid = 0x958 Thread: id = 341 os_tid = 0x944 Thread: id = 342 os_tid = 0x930 Thread: id = 343 os_tid = 0x914 Thread: id = 344 os_tid = 0x8ac Thread: id = 345 os_tid = 0x840 Thread: id = 346 os_tid = 0x83c Thread: id = 347 os_tid = 0x430 Thread: id = 348 os_tid = 0x7c0 Thread: id = 349 os_tid = 0x7bc Thread: id = 350 os_tid = 0x7ac Thread: id = 351 os_tid = 0x784 Thread: id = 352 os_tid = 0x780 Thread: id = 353 os_tid = 0x77c Thread: id = 354 os_tid = 0x6fc Thread: id = 355 os_tid = 0x678 Thread: id = 356 os_tid = 0x670 Thread: id = 357 os_tid = 0x660 Thread: id = 358 os_tid = 0x654 Thread: id = 359 os_tid = 0x61c Thread: id = 360 os_tid = 0x5d0 Thread: id = 361 os_tid = 0x5a0 Thread: id = 362 os_tid = 0x4ac Thread: id = 363 os_tid = 0x41c Thread: id = 364 os_tid = 0x414 Thread: id = 365 os_tid = 0x404 Thread: id = 366 os_tid = 0x158 Thread: id = 367 os_tid = 0x39c Thread: id = 368 os_tid = 0x2e8 Thread: id = 369 os_tid = 0x180 Thread: id = 370 os_tid = 0x234 Thread: id = 371 os_tid = 0x26c Thread: id = 372 os_tid = 0x2a0 Thread: id = 373 os_tid = 0x170 Thread: id = 374 os_tid = 0x1a8 Thread: id = 375 os_tid = 0x16c Thread: id = 376 os_tid = 0x3b0 Thread: id = 377 os_tid = 0xef8 Thread: id = 378 os_tid = 0xed4 Thread: id = 379 os_tid = 0xebc Thread: id = 380 os_tid = 0x6e0 Thread: id = 381 os_tid = 0xa20 Process: id = "123" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x5b704000" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"taskkill.exe\" /IM mydesktopqos.exe /F" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 382 os_tid = 0xd7c Thread: id = 386 os_tid = 0x12dc Thread: id = 387 os_tid = 0xe34 Thread: id = 388 os_tid = 0x13a4 Thread: id = 389 os_tid = 0x1028 Process: id = "124" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x58ce6000" os_pid = "0x85c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "123" os_parent_pid = "0xfdc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 383 os_tid = 0xe78 Thread: id = 384 os_tid = 0xab4 Thread: id = 385 os_tid = 0x4b0 Process: id = "125" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x19109000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"taskkill.exe\" /IM mydesktopservice.exe /F" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 390 os_tid = 0x1304 Thread: id = 394 os_tid = 0x1228 Thread: id = 395 os_tid = 0x113c Thread: id = 396 os_tid = 0x1334 Thread: id = 397 os_tid = 0x1244 Process: id = "126" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3f332000" os_pid = "0x1300" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "125" os_parent_pid = "0xf58" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 391 os_tid = 0x56c Thread: id = 392 os_tid = 0x1150 Thread: id = 393 os_tid = 0xd38 Process: id = "127" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x5932c000" os_pid = "0x117c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" Delete Shadows /all /quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 398 os_tid = 0xfd4 Thread: id = 402 os_tid = 0x11e0 Thread: id = 403 os_tid = 0x11a4 Thread: id = 404 os_tid = 0x12e4 Thread: id = 405 os_tid = 0x11c8 Process: id = "128" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59324000" os_pid = "0x1178" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "127" os_parent_pid = "0x117c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 399 os_tid = 0x1140 Thread: id = 400 os_tid = 0x1168 Thread: id = 401 os_tid = 0x520 Process: id = "129" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x77531000" os_pid = "0x12e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=401MB" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 406 os_tid = 0x11cc Thread: id = 410 os_tid = 0xa24 Thread: id = 411 os_tid = 0x1290 Thread: id = 412 os_tid = 0x12f8 Thread: id = 413 os_tid = 0x11d4 Process: id = "130" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x77778000" os_pid = "0x116c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0x12e0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 407 os_tid = 0xecc Thread: id = 408 os_tid = 0x1260 Thread: id = 409 os_tid = 0x1148 Process: id = "131" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x59736000" os_pid = "0x1020" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=c: /on=c: /maxsize=unbounded" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 414 os_tid = 0xf44 Thread: id = 418 os_tid = 0x1318 Thread: id = 419 os_tid = 0x11a8 Thread: id = 420 os_tid = 0x1160 Thread: id = 421 os_tid = 0x1248 Process: id = "132" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x596e7000" os_pid = "0x1288" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "131" os_parent_pid = "0x1020" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 415 os_tid = 0x11b0 Thread: id = 416 os_tid = 0x11bc Thread: id = 417 os_tid = 0x11c4 Process: id = "133" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x6ebb000" os_pid = "0x121c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=401MB" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 422 os_tid = 0x11f8 Thread: id = 426 os_tid = 0x11c0 Thread: id = 427 os_tid = 0xa50 Thread: id = 428 os_tid = 0x11b4 Thread: id = 429 os_tid = 0x760 Process: id = "134" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59712000" os_pid = "0x115c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "133" os_parent_pid = "0x121c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 423 os_tid = 0x128c Thread: id = 424 os_tid = 0x12a4 Thread: id = 425 os_tid = 0x1128 Process: id = "135" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x13940000" os_pid = "0x11b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=d: /on=d: /maxsize=unbounded" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 430 os_tid = 0x1320 Thread: id = 434 os_tid = 0xa38 Thread: id = 435 os_tid = 0x1184 Thread: id = 436 os_tid = 0x1338 Thread: id = 437 os_tid = 0x13a0 Process: id = "136" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x777ca000" os_pid = "0x8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "135" os_parent_pid = "0x11b8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 431 os_tid = 0xf98 Thread: id = 432 os_tid = 0x12ac Thread: id = 433 os_tid = 0x1188 Process: id = "137" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x59045000" os_pid = "0x1110" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=401MB" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 438 os_tid = 0x110c Thread: id = 442 os_tid = 0x1220 Thread: id = 443 os_tid = 0x1230 Thread: id = 444 os_tid = 0x12f4 Thread: id = 445 os_tid = 0xeac Process: id = "138" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x12084000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "137" os_parent_pid = "0x1110" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 439 os_tid = 0xa88 Thread: id = 440 os_tid = 0x1040 Thread: id = 441 os_tid = 0x11a0 Process: id = "139" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x59bca000" os_pid = "0x1158" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=e: /on=e: /maxsize=unbounded" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 446 os_tid = 0x1200 Thread: id = 450 os_tid = 0xef0 Thread: id = 451 os_tid = 0xee8 Thread: id = 452 os_tid = 0x119c Thread: id = 453 os_tid = 0x310 Process: id = "140" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x596b7000" os_pid = "0x12a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "139" os_parent_pid = "0x1158" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 447 os_tid = 0x1144 Thread: id = 448 os_tid = 0xf78 Thread: id = 449 os_tid = 0xfec Process: id = "141" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x6f4d000" os_pid = "0x1240" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x4b4" cmd_line = "\"vssadmin.exe\" resize shadowstorage /for=f: /on=f: /maxsize=401MB" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 454 os_tid = 0x4f4 Process: id = "142" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5ca4f000" os_pid = "0xf7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "141" os_parent_pid = "0x1240" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 455 os_tid = 0x1234